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THE COURT: We're in recess for 15 minutes. 

All rise while the jury exits. 

(whereupon, a short recess was had.) 

THE COURT: we're back on the record. Members of 

the jury are present as well as counsel and their clients. 
Mr. Baker, you can call your next witness. 

MR. BAKER: Your Honor, at this time we call 

Michael Barr. 

THE COURT: Raise your right hand, please, 

(witness sworn.) 

MICHAEL BARR, 

called as a witness, after having been first duly sworn, 
testified as follows: 

DIRECT EXAMIN ATIO N 

BY MR. BAKER: 

Q Tell us your name, please. 

A Certainly. I'm Michael Barr. 

Q where do you live? 

A I live in Maryland, near Baltimore. 

Q And are you married? 

A I am. 

Q And do you have any children? 

A I have two boys, six and ten. 

Q How old are you? 

A Forty-two. 
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Q And could you tell us what you do for a living? 

A I'm an embedded software expert. 

Q what does that mean? 

A That is the question everybody always asks, well, I 
will have get to what embedded software is in a minute, but 
let me tell you a little bit about my background. I have 
studied electrical engineering; that is what my degrees are 
in. I have two of them, both from the university of 
Maryland, a bachelor's degree and a master's degree. Along 
the way, earning my electrical engineering degree, I also 
studied software. 

Q Let me stop you there. Pull the microphone a little 
closer, we're having trouble hearing you. As with Dr. 
Koopman, slow down a little bit. 

A Sure thing. 

Q You were talking about your software experience. 

A Yes. So I actually started programming when I was 

about 12. I grew up in a house where we had some of the 
early personal computers like Apple II and before that one 
from Texas instruments. So I became interested in 
programming. And all throughout my education in electrical 
engineering, which really focuses on the design of circuits 
and chips, circuit boards and other electrical aspects, I 
was also studying software programming, so I have been 
programming for about 30 years. 
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Q Who do you work for? 

A I am co-owner of a company called the Barr Group. I 
have a partner who runs the business. I'm the chief 
technical officer of the company, so I oversee our technical 
activities. 

Q what is it that the Barr Group does? 

A The Barr Group helps companies that make embedded 

systems, we will get to what they are, I promise you. we 
help to them make them more reliable and also more secure. 

So we help all kinds of different companies and a lot of 
different industries, we help companies who make -- I 
myself have worked on receivers for Direct TV. So if you 
have a satellite dish or a cable box in your house, I have 
worked on a product like that. 

I have also worked on products that are industrial 
control systems that are used, for example, in a factory to 
do manufacturing. I have consulted with companies and have 
been involved with the design of a number of medical 
devices, both medical devices that are used in treating the 
patients, and also those like pacemakers that could injure 
someone if they malfunction. 

And the Barr Group has a number of clients in a 
range of industries like that, so industrial controls, 
consumer electronics, medical devices, et cetera. 

Q And I know we have got a slide up here with your 
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background on it. Have you put us a PowerPoint slide 
together to help demonstrate some of the testimony you will 
give us today? 

A I have. 

Q All right. I know you mentioned a couple of your 
degrees. Can you go back and tell us when you received 
those degrees, please. 

A Yes. My bachelor's degree was 1994, and my master's 
degree was 1997. 

Q in terms of the Barr Group where you work now, when 
did you start that company? 

A The Barr Group was founded about two years ago, but 
it came out of another company that was founded in 1999 
called Neutrino (phonetic.) 

Q For the jury's benefit, can you give us a little bit 
of your work and background before you started the Barr 
Group. 

A Sure, when I finished my bachelor's degree, I went 
to work for a company that developed a lot of the 
telecommunication systems. The company was called Hughes 
Network Systems, and they made everything from satellite 
receivers for point-of-sale equipment. Like, a gas station 
in a remote area would receive and upload its pricing 
information and sales records through a small satellite 
terminal, and also base station equipment that is used in 
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cellular base station, when you pick up your cell phone and 
it connects to the tower, we made equipment for the tower. 

I was involved with a project there that was called 
an air phone. It was one of the first telephones on an 
airplane, so we were involved in enabling that system, and I 
worked on one of those products there. After that, I 
finished my master's degree, and I went to work for a 
company that had spun out of NASA. 

NASA has a green belt location just outside of 
Washington, DC, and some engineers had left there and formed 
a company to work on satellite ground station equipment to 
communicate with satellites. And I worked there for my next 
job. And pretty much after that, I started consulting and 
founded the Neutrino company. 

Q After your work with the group that came out of NASA, 
is there anything else that you did before working with the 
Barr Group? 

A That was the foundation of Neutrino in 1999. 

Q Looking here at your slide with your background and 

experience, it mentions that you have three patents, what 
do those patents involve? 

A I'm a named inventor on three patents, I'm not the 
only inventor on any of them. Those are related to my work 
with various companies that I have consulted with. So in 
one instance, the first patent was related to a piece of 
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physical therapy equipment which is like a -- kind of like a 
piece of gym equipment, but it is more important that it be 
safe because it is usually helping someone who is injured to 
recover a muscle injury or something like that doing 
repeated twisting motions or lifting motions and things of 
that sort. So one of those is related to -- not all of them 
come off the factory floor identical because of mechanical 
difference and that is related to the calibration to make 
sure they all behave the same way through the software. 

Q Now, I know you discussed some of your work in terms 
of your consulting work, but you mentioned up here that you 
have done specific consulting and training in embedded 
software process and architecture for reliability. 

Can you explain to us what embedded software 
process would mean in that context. 

A Sure. I think Dr. Koopman spoke at length about 
process for safety critical system design, and he talked 
about some of the international standard safety processes 
like MISRA. And I think he talked about 61508, which is an 
international standard not specific to automotive. 

So software process relates to how the software is 
specified and built. And there is -- that is the process. 
The architecture consulting relates to once you decided what 
you want to build and that you're going to follow a coding 
standard and do those other things to ensure that the 
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process is in place, architecture relates to the design of 
the software at a high level. 

Before you get down to the individual line of code, 
how do you structure things, and that is the architecture. 

It i s kind of like the architecture of a building, in the 
architecture of a building, they're not necessarily 
concerned with who is in what office and how it is 
decorated, they're concerned with how many bathrooms there 
are, how many floors there are, what the supports are. 

Q It also mentions here reference to you served as 
editor and a columnist and a conference chair. Can you tell 
us about that. 

A Yes. For about 3 1/2 years I served as editor in 
chief of an industry publication with about 60,000 embedded 
software engineers as readers. Believe it not, there is 
that many of them. And the magazine focused on good 
practices for designing embedded software. And our readers 
were our authors, so I was serving in a selection role 
selecting the best articles, the best techniques, and making 
sure that they got published. 

Q within that role, would that have been the time that 
you published some of the 65 articles and papers that we see 
here? 

A I started writing articles before I did that, in 
fact, that's how I ended up getting involved in that. My 
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first article was published in 1997. And then I published 
articles and columns during that time, during those 3 1/2 
years, but I continued to do so right up to the present day 
and other publications as well. 

Q And you reference three books, and we have a picture 
of those three books? 

A we do. 

Q Can we see that, please, when was this first book, 
Programi ng Embedded Systems published? 

A This first book was published in -- the copyright 
date is 1999, but it came out late 1998. And that book was 
actually very popular. It is a book that introduces new 
engineers and programmers to the aspects of programming that 
that are specific to designing embedded systems. So it was 
sold in tens of thousands of copies. It was -- I have up 
here a picture of the Japanese cover. So around 2000 or 
2001, this book was translated into Japanese, Taiwanese, 
Chinese, and Korean. 

Then later in 2006, another author came along and 
made a second edition of it, and I served more as an 
editorial role at that time. 

Q what is the next book? 

A The next book is called The Embedded Systems 
Di ctionary. I wrote that book in 2003 with another industry 
experts who had been a columnist and a contributor to the 
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magazine that I was editor in chief of, and it defined about 
3,000 basically engineering terms that people use our in our 
industry, in the embedded system space, provided concise 
definitions of them so that we could all -- many of them we 
did have a common understanding, but there were certainly 
some where we didn't, so we tried to rectify the language 
and clarify some things. That was published in 2003. 

Q what about the last book? 

A The last book was published in 2008, and that was 
called The Embedded C-Coding Standard. There has been a 
second edition of it in 2012. And you heard about MISRA-C, 
and I will also talk a little bit about MISRA-C today. This 
is not a replacement for MISRA-C. There are some embedded 
programs that are not safety critical, and can use this 
standard, which is designed specifically to keep bugs out of 
systems and has some overlap with MISRA-C but is a 
lighter-weight version, if you will. 

It is also complimentary with MISRA-C in that 
MISRA- C is silent about style. It is more about rules that 
you should use to make your program safer, and this is both 
some of those safer rules and also stylistic rules to make 
your programs more readable and easier to obtain. 

Q All right. I will back up just a minute. You talked 
about your consulting work and the things that you do with 
Barr Group. As part of your consulting work, have you from 
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time to time done exactly what you're doing here today, 
acting as an expert related to software and embedded 
systems? 

A I have. 

Q what sort of things have you done in terms of that 

type of consulting? 

A Probably the most common engagement I've been 

involved with is patent disputes. So I've worked on patents 
related to smart phones, set-top boxes like the Direct TV 
receivers. Sometimes there are disputes between those who 
patent an idea and those who make a product about whether 
there is an and infringement between the two. And I often 
get involved in looking at the source code for the product 
that the accused to see if it infringes the patent or not. 

Q You just mentioned the word source code. And I know 
we will talk about it a lot today. Can you go ahead and 
tell us what source code means. 

A Yes. I have a example of it coming up, but the 
source code is just simply for now the human readable part 
of a software program. So there is the human readable part 
that the programmers write and maintain, and then there is 
the nonhuman readable binary part or version that the 
computer understands. 

And there are tools called compilers and things of 
that nature that convert the human readable into the machine 
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readable part. 

Q Does the source code, I guess from my layperson's 
view, the instructions that have been written by a human 
that the computer reads so it knows what to do that? 

A That is a good general explanation of it. Yes. 

The source code is what the humans write to tell the 
computer what to do. 

Q Now, you have been retained in this case to look 
specifically at certain aspects. Can you tell us what you 
were asked to do in this case. 

A Yes. So I have reviewed the source code for the 
engine control module in the 2005 Camry vehicle that was 
driven that day. And also in the -- I reviewed the facts of 
the incident in terms of what happened. And then I have 
expressed opinions with respect to the software and with 
respect to the incident as it relates to the software. 

Q So you were asked to look at the software and 
determine whether it worked or not in this vehicle? 

A That's correct. 

Q And you mentioned looking at several things, in the 

information you've looked at, have you looked at 
depositions? The jury has heard about depositions. Have 
you looked at depositions? 

A I have. 

Q Have you looked at what I call fact witness 
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1 depositions from people who saw or witnessed things related 

2 to the wreck? 

3a I have. 

4 Q There are a number of experts, jury already heard 

5 from a few of them. Have you looked at expert depositions? 

6a I have. 

7 Q There have been -- there has been some testimony 

8 about Toyota documents. Have you looked Toyota documents 

9 that have been produced? 

10 A A lot. A lot of Toyota documents. Yes. 

11 Q There is a bunch of boxes back here. Have you looked 

12 at enough documents to fill many, many boxes? 

13 A I've had access to probably more pages of documents, 

14 but many of them were produced electronically, so I don't 

15 know how big they would be when printed. But I imagine it 

16 would be larger than that. 

17 Q Have you used those as part of your analysis to 

18 render opinions in this case? 

19 A Yes, I have. 

20 Q Also, as part of your analysis in this case, have you 

21 reviewed sworn testimony of people who claim to have also 

22 had unintended acceleration events? 

23 A I have. 

24 Q And have you used that to help you analyze the facts 

25 in this case? 
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A Yes, I have. 

Q As part of your review in this case -- and let me 
step back -- this is not the first Toyota UA case that you 
have been involved with, correct? 

A That is correct. 

Q Have you written reports related to those other 

cases? 

A Yes . 

Q And in a general context, have you also written a 

report that embodies much of your analysis of Toyota 
software or source code? 

A I have. 

Q Does it encompass 13 chapters? 

A Yes. It consists of a summary report and 13 chapters 
of detai 1 . 

Q is this the approximately 800 pages worth of analysis 
that you have done related to Toyota software? 

A That's right. 

Q All right, what I would like to do now is move on to 
your analysis and talk about some of the terms that we will 
be hearing about, okay? 

A So embedded systems is probably something you're 

wondering about, it is all over my bio and things like that. 
Embedded systems are simply computers that you don't think 
of as computers, your microwave oven, this laser pointer, 
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1 the Nike fuel band that I wear as a watch and a pedometer. 

2 Those are all examples of embedded systems. Like it or not, 

3 the world is producing over 10 billion of these a year. 

4 in fact, when you think of a computer and you think 

5 of a laptop or a desktop computer, that is about one or two 

6 percent of all the processers that are being made. A lot of 

7 less expensive processors are going into everything from 

8 these kinds of examples to satellites in the sky, your TV. 

9 That TV that is there has a computer inside it and software. 

10 So those always consist of the electronics, a processor and 

11 software. 

12 Q And as these embedded systems, computer embedded 

13 software systems that you're trained and have experience in 

14 analyzing and writing? 

15 A Yes. 

16 Q Are these systems also included in cars? 

17 A They are. They have been included in cars for quite 

18 a while. One of the early motivating reasons for including 

19 a computer in the car was related to emissions control. So 

20 putting a processor and software at the heart of the car in 

21 order to control the spark timing is something that has been 

22 done going back several decades now. 

23 Q As we see on the slide, has it evolved to where it 

24 encompasses many, many functions that go on within an 

25 automobile? 
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A Absolutely. It was probably 2006 when I saw a BMW ad 
that said for the series 7 they said we have over 100 
processors inside this car. And that included things like 
in a seat, when you raise and lower electronically the seat, 
there may be software involved in that with some cars, when 
you can remotely control the mirrors, there may be software 
involved with that. Some of the cars have automatic, the 
mirror will automatically go back. 

So, basically, a modern car is a network of 
computers, we will talk a lot about the engine control 
module, but there are also air bag computers, and there are 
also anti lock brake computers, and there are a number of 
other safety systems in a car that are embedded systems. 

Q And we will focus through your testimony on the 
electronic throttle control system? 

A That's correct. 

Q Let's move then to what you have specifically looked 
at in terms of Toyota's source code for the electronic 
throttle control system. 

A So I've had access to a secure room located in 
Maryland that had Toyota's source code and a number of other 
source code related documents produced in it. And in that 
room, I had access to the source code for the engines of a 
number of different Toyota vehicles, including the 2005 
Camry, but also other models like the Lexus ES, the Tacoma 
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1 and some others. And for many model years, from about 2002, 

2 when Toyota first introduced the electronic throttle 

3 control, until generally 2010 model years. 

4 Q And you mentioned here what you saw was subject to 

5 confidentiality agreements? 

6 A Yes. 

7 Q I mean, just any of us could walk in off the street 

8 to this facility that used to be in Maryland and take a look 

9 at Toyota source code, could we? 

10 A No. There were only 12 experts have ever been 

11 allowed in. 

12 Q As I understand, that secure facility has now been 

13 moved to California? 

14 A Yes. It was recently moved. 

15 Q And a moment ago, we heard some testimony very 

16 briefly where some phrases from the source code were used 

17 when we were listening to Mr. Osawa's testimony. Do you 

18 recall that? 

19 A I do. 

20 Q And is it those bits of information and how they're 

21 described in Toyota source code that are subject to this 

22 confidentiality agreement? 

23 A That's correct. 

24 Q is the operating system for these vehicles you listed 

25 here from 2002 to 2010, the Camry, the Lexus ES and the 
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Tacoma substantially similar? 

A Yes. There are, to be clear, there are two different 
of operating systems that Toyota used in that time frame; 
one was a version of Itron, (phonetic) and the other was a 
version of OSEK. And I will come back and talk, more about 
OSEK which is relevant to the 2005 Camry. with respect to 
the details that I will talk about, they are substantially 
si mi 1 ar . 

Q in terms of the software that actually runs the 
electronic throttle control system for the Camry, the Lexus 
ES, and the Tacoma in the year models that you have up here 
2002 to 2010, is that software substantially similar for the 
analysis that you're doing? 

A Yes . 

Q And I guess I should have asked this earlier: I know 

you've testified in court before, but have you ever 
testified in court about the Toyota software issues that 
you're going to talk about today? 

A No. This is the first time I've talked in court 
about what I've seen in this code room. 

Q The type of software review that you've done in terms 
of Toyota software code, is that standard type of procedure 
used to evaluate source code for any type of product? 

A That experts see source code is not unusual, but the 
protections around this source code are certainly unusual in 
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my experience. 

Q All right. And I don't know if you can explain it to 
us. Give us just a general idea of exactly what it is when 
you go to review source code, what is it you're doing? Are 
there books there that have the source code written out? 

A Thankfully no. The source code review involves 
looking at electronic documents on computers. There is 
basically a room the size of a small hotel room that is 
disconnected from the internet, no cell phones allowed 
inside or would work inside, in that room there is about 
five computers and some cubicles. 

in there, it is possible to believe view on the 
computer screen Toyota's source code, we couldn't take any 
paper in, take any paper out, couldn't wear belts, watches. 
There was a guard. It was worse than airport security was 
on the way here. Each time in and out, even to go to the 
bathroom. 

Q How much time did you spend doing an analysis of 
Toyota source code? 

A Countless hours. I haven't -- I mean, over a 
calendar period, it has been approximately 18 months that we 
had access to the code. I guess now it is maybe closer to 
20 since the first production of source code for those 
vehicles. And so I was supported in there by a number of 
other engineers, including three from my own team from the 
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Barr Group. 

Q And we heard some discussion about a NASA study 
related to this Toyota UA issue and the software. Did NASA 
have access to some of this source code? 

A NASA was brought in to look at source code because 
NHTSA couldn't get to the heart of the problem, it didn't 
have any software engineers on staff. So NASA was given 
access to a few model years of Camry source code, as I 
understand it, at a Toyota facility in California. 

They didn't have as much time. They didn't have as 
many vehicles, and so what we did actually was to build on 
their work. First, we confirmed that what they were seeing 
was consistent with what we were seeing, at least for the 
vehicles that they had, the 2005 Camry was the one they 
wrote about. And we also dug deeper, and so we pushed on 
various topic issues researching different aspects of the 
software design. 

And importantly, NASA had a very tight time line 
and not necessarily unlimited resources or unlimited time to 
review the code. This is a Toyota document where they were 
discussing the NASA project internally. And Mr. ishii's 
name -- and apologies for mispronouncing these Japanese 
names, I'm sure -- Mr. ishii's name is on this document, and 
he is talking about how he or someone was talking to him 
about NASA has a very short time line, only a few months to 

***** T HIS TRANSCRIPT HAS NOT BEEN PROOFREAD ***** 



40 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 


reach their conclusion. And that was the NASA process. 

Q And I know we will talk about it in depth as we go 

along, but did NASA have access to as much information as 

you ultimately had in reaching conclusions about Toyota 
software? 

A No. Even just for the 2005 Toyota Camry we had more 
documents, we had more source code, we had more things than 
NASA had . 

Q Can you show us an example of what source code looks 

like. And I know what is on your slide is not Toyota source 

code, it is just an example, right? 

A That's correct, we don't need to clear the room. 

This is just a simple example of source code in the same 
programming language that Toyota's main computer source code 
was written in. And that is the C programing language, the 
letter C. And it probably looks like nothing, right? But 
Dr. Koopman talked about how it is a -- like a recipe. 

And so this is basically, what I put here, is some 
sample code in the C language for a recipe for something 
that most children in first grade or second grade can do, 
which is to figure out if you give them two numbers which 
one is larger. So this is a recipe for a computer to take 
any two numbers, and the recipe name is also the function 
name, which is larger of. 

Now, I chose that name. I could have chose a less 
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descriptive name, or I could have chosen a more descriptive 
name. And the ingredients that the recipe relates to are 
what are called variables, so here A and B. So this is a 
generalized recipe. You can give it any two numbers. 

So you might tell a child is 67 bigger than 63 ? My son can 
do that. And this computer can do that by passing 67 as A 
and 63 as B, and then the recipe will compare them. 

The first line here says if A is bigger than B, so 
if 67 is bigger than 63 , then return 67 . And if the 
situation was reversed, let's say it was 63 first and 67 
second, then this "if" would fail, and we would go to the 
"else," and then we would return the 67 that came into 
second -- called parameters when they are passed -- so that 
is the recipe for comparing two numbers to see which one is 
larger and returning back the larger one. 

So another part of the software can use this recipe 
at any time. And the last thing that I wanted to talk to 
you about is these things over here between the slash stars, 
and those are just simply comments. 

Q Are both of those comments? 

A They are. I only marked one of them. So the 
comments are simply more human readable stuff, but that 
stuff is it never seen by the computer. That stuff is there 
for the benefit of the programmers to explain what they are 
trying to do. So one way of explaining what you're trying 
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to do is pick good variable names and good function names. 
And another way to explain what you're trying to do is to 
write a lot of comments or a commentary to explain what it 
is that you're trying to do. 

Q All right, in terms of Toyota's source code that you 
would have reviewed for your analysis, I mean, you have 
shown us something here in English, was it in Japanese? 

A The source code was written in English. The variable 
names were in English. The function names were in English, 
and the things of that sort. The programmers were working 
in English. However, the comments were predominately in 
Japanese, we actually had a tool that came from a Japanese 
company that called Atlas that we could run in the room to 
translate things. 

At first, we would cut and paste a particular 
comment into this tool, and we could read what it said in 
English. But then we actually had a small project where we 
wrote an automated process of converting all the comments at 
once into English so we could look at the code with the 
original English source code exactly as it had been and the 
translated comments next to it. Not everything was 
translatable automatically like that, but most of it was. 

Q And I know you have given us an example here of 
comments just so we understand what you're talking about. 

Do you always have comments in lines code? 
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1 A Generally there are comments in source code. There 

2 need not be in order for the compiler to make a program, but 

3 they're generally are and should be so that the humans 

4 working with the code can understand it. 

5 Q And you just mentioned a word there, compiler, in 

6 terms of reading source code, what is a compiler? 

7A a compile is a development tool that programmers use. 

8 It i s another piece of software, one that they use to take 

9 the human readable code and turn it into machine readable 

10 binary code that can be downloaded in your car, for example. 

11 Q when you say it is turned into binary code, what is 

12 binary code mean? 

13 A Sorry. Binary codes is ones and zeros. And the 

14 machine knows what to do with them because it knows that it 

15 should group them together into groups of 16 or groups of 32 

16 and that certain ones are instructions that it know what to 

17 do like add two numbers, compare two numbers, see if 

18 something was zero, move to another address, things of that 

19 sort. And the compiler generates sequences of these 16 or 

20 32 bit instructions, which are a bunch of binary bits. And 

21 the computer knows how to interpret them and what to do to 

22 follow the recipe in that situation. 

23 Q Now, you mentioned using your tool to help you 

24 translate part of the comments into English, were you 

25 requi red to use any other types of tools that would help you 
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or assist you to read the source code while you were in the 
source code room? 

A well, we weren't required to necessarily, but we had 
access to a number of tools that we did use. we requested 
that certain tools be placed into the room when the room was 
open. And those tools included the actual Green Hills 
compiler that Toyota used, a related set of utilities that 
would have been used in a software development process, 
names I don't need to bother you with. 

And also, importantly, a simulator which Green 
Hills provides, along with the compiler, which is able to 
pretend to be the target processor so that you can run code 
and step through it one instruction at a time, if you like, 
or set places where you want to stop and see what is going 
on. we did take advantage and use that simulator in our 
analysis of the source code in the code room as well. 

Q would the simulator help you to read or understand 
the instructions in the code as if it was running in the 
vehi cl e? 

A Yes. But of course the simulator itself is just 
running on a desktop computer, so it is not a vehicle. So 
it cannot simulate all the things that a vehicle can do. 

Q were you able to run certain tests on the software in 
the source code room? 

A Yes . 
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Q What sort of tests did you run? 

A well, so, for example, we were examining the 

operating system and understanding how the operating system 
worked, and we were able to use the simulator to both 
examine what is happening while the computer ran or what 
would be happening in the car. And also to analyze certain 
aspects of its behavior to see if it functioned as it said 
in the user manual, for example, or as it said in the source 
code and things of that sort. 

Q As you're reviewing the source code, did I hear you 
say earlier that you couldn't take notes and carry them out 
of the room? 

A No. To-do lists were a bit of a problem. You had to 
remember that you wanted to get something when you got out 
of the room and then go look it up, and you had to remember 
what it was you learned when you went back into the room. 

It was quite an impediment to the process. 

Q while you were in the source code room using some of 
these tools and reviewing the source code, were you able to 
identify any coding rule violations? 

A Yes. Many. 

Q was there a specific tool that you used to do that, 

or was that a manual process that you yourself had to go 
though? 

A well, checking for compliance with coding standards 
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can be done both by reviewing things as a person sitting 
there looking at the code, but that is not necessarily 
efficient. So for some coding rules, at least, there are 
tools called static analysis tools which look at the source 
code for you and look for certain types of rule violations, 
and we had access to several tools of that sort in the code 
room, and we used them. 

Q And you were here last week for Mr. ishii's 
deposi ti on? 

A Yes. I heard that. 

Q He mentioned something about source code modules. Do 
you understand what he was talking about? 

A Yes . 

Q Explain that to us briefly. 

A Yes. So the source code consisted of for a 
particular vehicle on the order of a million lines of code. 
And so by a line of code, I mean like a line in a document. 
So if you look at the page of a word document, it might have 
50 lines on. if you were to print out a million lines of 
code, you can imagine it would be pretty large. 

The source code is generally, and Toyota's was, 
divided up into what are called modules. So related 
recipes, or parts of the recipe are grouped together in 
files, just like I broke up my report into a summary and 13 
chapters. They broke up their software into approximately 
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4,000 files. Don't quote me on that number, but it is on 
that order. 

Q So while you're there, knowing that they are in 
modules is your focus to look for the modules that relate to 
electronic throttle control? 

A well, in one since there are modules that relate to 
electronic throttle control because they are recipes that 
are specific to electronic throttle control. But in another 
sense, it all relates to electronic throttle control because 
it is all running on the same processor. So one part over 
here that might not appear to be named as throttle control 
recipes can actually interfere with and cause problems with 
the throttle control recipe. 

So it is not that we only looked just at the code 
that said, Here are the throttle recipes, we did, but we 
also had to look at other parts of the code as well. 

Q Through this source code review, were you able to 
identify bugs within Toyota's software? 

A Yes . 

Q what sort of tools did you use to identify those 
bugs? 

A Most of the bugs that we -- that I wrote a whole 
chapter on bugs that we found in their code -- most of those 
were found inadvertently. They were found when we were 
reading some module to see how it worked because we were 
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1 understanding the system, and we found that there was a bug 

2 in the code. 

3 The other way that we found bugs was when we ran 

4 the static analysis tools, for example, to see if there were 

5 rules violations. Sometimes those rule violations or the 

6 results from the tool would be -- would turn out to be bugs. 

7 So the static analysis tool doesn't say this is a bug, it 

8 says there might be a bug here, we investigated those, and 

9 some of them were bugs. 

10 Q Did you find all the bugs in the software that you 

11 reviewed? 

12 A Absolutely not. 

13 Q Why not? 

14 A Because there is a lot of bugs, and all indications 

15 are that there are many more, we haven't specifically gone 

16 out looking for bugs. The metrics, like the code complexity 

17 and a number of global variables, indicate the presence of 

18 large numbers of bugs. And just the overall style of the 

19 coded is suggestive that there will be numerous more bugs 

20 that we haven't found yet. 

21 Q And we have talked about bugs. Can you for the 

22 benefit of all of us tell us what you mean when you say 

23 there is a software bug. what does that do to the software? 

24 A Software bug causes the software not to work right. 

25 It can be a little thing, if you're editing a word document 
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on your computer, you might see that suddenly one area of 
the screen is not drawing right, and you have to refresh or 
close the application and bring it back. So that little 
momentary glitch that you might see, or it could be 
something big like the whole program crashes or the whole 
computer crashes and you have to start over. 

Q You were here earlier and heard Mr. Osawa's 
testimony? 

A I did. Yes. 

Q You understand that he was a Denso engineer? 

A I di d . 

Q And Denso provided the monitor CPU within the 

electronic throttle control system? 

A Yes. That's one of the things that they did. 

Q Did you hear his testimony where he said they had 

never found any bugs in their software? 

A I did, but I didn't think he was just referring just 
to the monitor CPU. 

Q My question goes back to this: is there any software 

that you're aware of that does not have bugs? 

A No. 

Q And we will talk more about this later, but I want to 
go ahead and bring it out. The term task death. Can you 
give us just a general description of that, because we will 
need it as we go on. 
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1 A Sure. I think it is a bit premature. I can give you 

2 briefly that a task death is a type of software malfunction. 
5 Q Were you able to test for task death while you were 

4 in the source code room? 

5 A Yes. 

6 Q And were you able to cause a task death in the source 

7 code room? 

8 A Yes. we able to confirm that tasks could die in the 

9 Toyota ETCS and that would cause a software malfunction. 

10 Q Go to the next slide. Tell us why you put this in 

11 here. 

12 A Yes. Before we talk about the software anymore, I 

13 think it is important that we all sort of have a high-level 

14 view of what is going on. And you might know how a car 

15 works, you might have thought about it some, but not in a 

16 while. Let's start at the beginning. The driver has two 

17 ways of controlling a vehicle's speed or making it go 

18 faster. One of those is using the accelerator pedal. The 

19 more you push down, the faster the car goes. The other is 

20 using the cruise control where the computer and the software 

21 will take over and keep the speed at a constant. 

22 On the right-hand side, I have drawn fuel, air and 

23 spark. And that's because you need those three elements in 

24 order to make the engine go, at least in the gas engine. A 

25 useful analogy is if you have ever pushed a child on a 
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swing, or someone on a swing, you know that you are giving 
them motion, but they also have a certain motion of their 
own that will continue if you stop. 

Same is true with a combustion engine. The 
combustion engine is causing the piston to go up and down 
and the crank shaft underneath to rotate and move the 
pistons up and down together. There is a certain amount of 
that motion that is like the swing going back and forth that 
will keep going briefly. 

The spark, or the fuel, first of all, is you have 
to have energy. You, yourself, have to have energy in order 
to push them. That's where -- the energy comes from the 
fuel. The spark relates to the timing when you push, if 
you push at the wrong time, you know you will not get as 
much umph, you are not going to cause as much of an increase 
in the power of the swing unless you hit at the right 
moment; that's what the spark does. The spark ignites the 
fuel at the right time. 

The air that is in chamber that is compressed in 
the chamber with the fuel, that is coming in through 
something called the throttle. And that is controlling how 
hard you push. So the more air that you let in through 
throttle, the more push you are giving to the swing; 
therefore you will get a faster engine out. And the spark 
is just going to follow along and hit it at the right time. 
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The air is really going to provide the power for the engine. 

Q So is our throttle control system and the area that 
we're concerned about what is controlling the air in the 
system? 

A we are. And I will get there in a minute. So the 
throttle, for a minute, it is a fancy word, in a car it is a 
fancy word, but it is really no different than you turning 
up the hot water in your shower. You get in the shower and 
your turn the knob, what is happening inside that pipe is 
there is something blocking the water, and then there is not 
something blocking the water. 

You can make it 100 percent of all the capacity 
that it has hot, or you can make it zero percent of all the 
capacity that it has hot. The same is true in the car's 
engine, when you close the throttle, you're robbing the 
combustion engine of its fuel, of its power. There is still 
the gas, of course, but you need fuel and air ideally in a 
certain ratio in order to cause the explosion. 

So the air comes through the throttle, if you 
think about an older car, where your foot on the accelerator 
pedal is always adjusting the throttle, your foot is 
directly in control of how fast the engine is going, and 
that is what is giving the car power. The change to the 
electronic throttle control, which with Toyota began in 
about 2001 in the Prius and 2002 in the Camry, at least in 
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the united States, that means that earlier car computers had 
been in charge of the spark and the fuel. 

They had been in change of two of the things that 
make a car go. But the driver had always been directly in 
control of the air, which is directly related to how much 
power the engine has. when electronic throttle control 
comes in, you have software that is now responsible for all 
three of them at once. So you have a portion of the 
software, the job of which is to make the spark at the right 
time, inject the fuel at the right time and the right 
amount, and open the throttle a certain amount. 

And the throttle opens to allow air to actually be 
sucked in. Not blowing in air, but instead the vacuum that 
is left behind, after the previous combustion, you have 
blown up everything in there, every air particle and every 
gas particle, for the most part is gone. So you have to put 
in both new fuel and new air. So it actually the vacuum 
sucking the air out of the throttle, out of the tube, into 
that chamber that is causing it. So you're just allowing 
more air to flow in and the combustion is taking it from 
there. 

The software in electronic throttle control is 
responsible for all three things, which means if the 
software malfunctions, it has control of the engine and can 
take you for a ride, what is of particular importance is 
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1 that there is another part of the software that is looking 

2 at the driver controls, looking at the accelerator pedal and 

3 cruise control -- it is looking at more than that, but that 

4 is a simplification, that is appropriate right now -- so 

5 there is a part of the software looking at what the 

6 accelerator pedal position is, is it down, is it up, how 

7 much down. Then that is translating that into a calculated 

8 throttle angle. And then another part of the software is 

9 performing the sparking and the throttle control. 

10 Q is this what is referred to when we heard it here 

11 drive by wi re? 

12 A Yes. Some people call it drive by wire. It is 

13 confusing to me because there used to be a wire and they 

14 took the wire out and they call it drive by wire. 

15 Q Do you have an example of what Toyota's computer 

16 module looks like that controls these things? 

17 A Yes. 

18 Q So I think you have a laser pointer on that thing 

19 that you have? 

20 A Do we have the actual board. 

21 Q I do. Explain to us what we have here. 

22 A So this is a photograph of the ECM . And this ECM , or 

23 engine control modules, has two big chips on it. Has a 

24 bunch of other chips, capacitors, circuit tracers that you 

25 can see, and other things. This biggest one, the square 


***** T HIS TRANSCRIPT HAS NOT BEEN PROOFREAD ***** 



55 


1 one, is the main CPU. It is a type of a CPU or a model of 

2 CPU called a V850. That is kind of the equivalent of 

3 calling it a Pentium. V850 is the model number of that 

4 processor. Comes from a company, a supplier of Toyota that 

5 used to be called NEC. It has since changed its name. 

6 Then there is a second rectangular chip here, and 

7 that chip is what has been referred to by various witnesses 

8 as the monitor CPU, the ESP-B2 and sometimes the sub-CPU. 

9 importantly, each of those is a processor with its own 

10 software. Then, of course, all together they comprise an 

11 embedded system. 

12 Q So the software that we're going to talk about is 

13 stored within components on this board? 

14 A Almost always when I'm talking about the software, 

15 I'm talking about the software on this main CPU, which 

16 performs the throttle control, the combustion, monitors the 

17 accelerator, and all those things, cruise control. But 

18 there is also software, and I will specifically call out 

19 when I'm talking about this monitor CPU and its software. 

20 Q This is from a 2008 Camry? 

21 A This particular photo is from 2008 Camry. 

22 Q is the 2005 generally very similar to this? 

23 A The chips would be moved around a little bit, but in 

24 terms of the electronics of what is there, there is a V850 

25 processor, there is an ESP-B2 . From a substantial 
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similarity point of view, they are very similar. 

Q Can you tell us what this is. 

A That is the very 2008 ECM that this photograph 

refl ects . 

Q would this be the general size of the board that 
contains these compute components with a 2005 Camry? 

A They are about the same. Correct. 

Q Let's talk about safety critical systems? 

A So a safety critical system is an embedded system, 
but it can also kill or injure someone. So my Nike fuel 
band is not going to kill or injure anyone. But a car i s an 
example of an embedded system, at least some of the 
computers inside it, can cause injury. Now, it wouldn't be 
a case necessarily of the mirror control, but it would be 
the case of the engine control. 

Q So do you consider the electronic throttle control 
system to be a safety critical system? 

A I do. 

Q what sort of things can possibly go wrong with such a 

system? 

A well, the risks in such a system are manyfold. The 
first is that these electronics are being driven around, 
bounced around, splashed around, and in a generally rough 
environment. A lot of embedded system designers don't have 
to worry about their products doing anything other than 
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sitting on a desktop, but a car is a very harsh environment. 

So it is a noisy environment, electrically noisy, 
there is a lot of vibrations. And so one of the things that 
can go wrong -- and this can happen in any electronics, but 
it can particularly happen in a car electronics -- is some 
sort of glitch in the electronics. And that means that 
momentarily one bit inside a chip flips or an electrical 
pain takes on the wrong value. 

with a digital value, if you have an in-between 
number between zero and five volts, you might inadvertently 
get momentarily wrong signal, and that can affect what the 
software does. So that is one thing that can go wrong, a 
glitch in the hardware. You heard Dr. Koopman talk about 
the bit-flips. Another thing that can go wrong is that 
there could be a software bug and it can be activated at any 
time. So the software bug is latent, always there, but then 
you happen to be driving a car that day and the software bug 
suddenly, because of something the car did or a glitch in 
the electronics or something else, it suddenly activates, 
and now you have a malfunction. 

And any reasonable -- any program of reasonable 
size is going to have bugs in it, so you have to, as a 
designer, expect random hardware faults and also there are 
software bugs in there. 

Q Let me ask you a question about that: in terms of 
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1 software bugs, just because they're there will they always 

2 cause a malfunction? 

3 A Just because they're there doesn't mean they will 

4 always cause a malfunction. No. 

5 Q Are some bugs such that there has to be a specific 

6 condition met with the product, the car, whatever in order 

7 for them to manifest themselves? 

8 A Yes. So just going back to my simple example of the 

9 larger recipe, that is a very simple recipe. But suppose it 

10 was a more complicated recipe and we gave it two numbers, 

11 you know, 8,012 and a million and 16. And for that case, 

12 maybe because one of the numbers was over a million or maybe 

13 because of the difference between the two numbers or maybe 

14 because of a bounce that this car did at that very moment or 

15 an electrical glitch or something else, it gives the wrong 

16 answer, instead of saying the larger number is a million, 

17 it says the larger number is 8,000. That i s an example of a 

18 bug that was there. It might have never caused a problem, 

19 but in that particular instance, it caused a problem. 

20 Q For example, there has been some testimony or 

21 discussion in this case that Ms. Bookout bought this car, 

22 driven it for several years, put about 9,000 miles on it, 

23 never had a problem. I don't think there is any dispute 

24 about that, in a circumstances like that, could the car 

25 have bugs but yet never display them? 
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A Yes . 

Q in order for the bug to display itself, would the 
vehicle just have to meet and put itself in certain 
conditions that would bring that bug to the surface? 

A Yes. But let me just be clear that there is vehicle 
operating conditions and then there are software operating 
conditions. So you can think about the vehicle operating 
conditions is like whether you're accelerating, whether 
you're decelerating, whether you are pressing the brake, 
whether you are not pressing the brake, whether you have 
cruise control on, whether you don't. Those are all 
different examples of the vehicle being in different states. 

But also the software internally contains many 
thousands of variables, all of which can have different 
values at the moment. Think about that spreadsheet full of 
numbers that Dr. Koopman talked about. That is all going on 
at the same time. Essentially, all the possible values of 
those things represent different software states. 

So you have a very large -- measured in billions or 
trillions, or essentially an infinite space -- of software 
states, if you get yourself into one of those corners, then 
the bug can occur. And that might not be because of what 
you were doing with the car that day, it could simply be 
that the software got into that place. Then what is 
happening with the car layers on top of that, because maybe 
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you were going five miles an hour and versus going 50 miles 
an hour, then you might have a different outcome. 

Q You've mentioned, and Mr. ishii mentioned, that there 
is always bugs. As a software developer, somebody that 
analyzes embedded systems, is it reasonable for a 
manufacturer to try and put in safety features which try to 
take up for or anticipate what bugs may do? 

A Yes . 

Q And have you mentioned that here? 

A Yes. So the third thing that can happen is that if 

you're a software developer and you think, Oh, well, I'm 
worried about the possibility that someone will set the 
throttle angle to 150 percent -- and I don't know what that 
means, but that sounds bad, I don't want it more than 100 
percent. So you might think about that, so you put in a 
detections that says if it is ever more than 100 percent 
then do something safe. That can range from, depending on 
the situation, keeping it at 100 or saying, well, I don't 
know why it ever would have been more than 100, there must 
have been some serious problem and resetting the computer. 

But just because a company and its engineers think 
up 100 possible things that can go wrong, or a thousand 
possible things that can go wrong and implement a set of 
failsafes that they think will defend against them, there is 
two problems with that. The first is the failure of 
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imagination possibility, which is it didn't get on their 
list. They forgot that it was possible that tasks could 
die, for example. 

Another possibility is that failsafe itself has a 
bug in it, a hole in it, a gap. They think they have 
mirrored all the critical variables, made a second copy of 
them, but they haven't. Or they think they have a watchdog 
supervisor that detects task death, but it doesn't or 
doesn't always. So they can have gaps in their safety 
archi tecture . 

So a third thing that can go wrong is that one of 
those gaps is exposed in the safety archi tecture . And 
sometimes it takes all three of those happening at once in 
order for your car to malfunction or to malfunction in a 
dangerous way that you report. For example, it might begin 
with a hardware bit foot, and that might cause a bug and 
that might escape detection because they didn't think of 
that possibility. 

Q Are coding standards like we've talked about and 
heard from Dr. Koopman, for example MISRA, are those 
structures that manufacturers can use or rules that 
manufacturers can use to help reduce unforeseen gaps in 
their safety archi tecture? 

A Yes. well, no. Not specifically in their gaps in 
their safety architecture. They can help to keep bugs out. 
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1 Q And if you don't have bugs, then it helps to create 

2 -- you don't need as big a safety archi tecture? 

B A I wouldn't say that's true either. 

4 Q Okay, what would you say? 

5A I would say that following a coding standard like 

6 MISRA-C can help to reduce the number of bugs in your 

7 software. Doing what Dr. Koopman talked about, which is 

8 having a software process like MISRA software standard, the 

9 Fat Standard, or the ISO Standards, that is a way to make 

10 sure that there are no single points of failure in your 

11 system. And so even if you have a bug that you don't know 

12 is there, you always have a way that it will be safely 
IB handled. 

14 Q So in terms of creating a safe archi tecture , a safe 

15 system, can it be something that is an afterthought? 

16 A No. You have to design in safety. Safety has to be 

17 there from the beginning. I think Dr. Koopman said it 

18 really well. He talked about the Therac-25, which was a 

19 famous case that embedded software engineers studied where a 

20 medical device that was used in treating patients, actually 

21 was killing them by giving them too much radiation. 

22 And he talked about how Dr. Leveson at MIT who 

23 studied the subject she found that simply the developers 

24 would find a bug and fix it and think they had solved the 

25 problem, and then the next patient was given too much 
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radiation and they would find a bug and fix it. You cannot 
got down the path of find a bug and fix it. You have to 
design safety in. 

And that's also important because sometimes 
embedded systems can't be updated, can't be upgraded. For 
example, in this Toyota electronic throttle control, there 
are two processors. The main processor has the potential to 
be updated, have the software updated, when you're in the 
dealer. It is capable, anyway, the chip of doing that. 

But the second processor, the monitor CPU is burned 
in a factory, a million chips all alike, and those chips 
can't ever be changed. So if there is a flaw, you can't go 
in and fix that flaw, so you have to have a good design from 
the beginning, you know, separate fault containment regions, 
no single points of failure, and you should follow a 
software process, safety process, in order to achieve that. 

Q Let's look at our next slide. I think Dr. Koopman 
showed us this one as well. 

A Right. So the slide says two things. First of all, 
it says that NASA agrees that Toyota's electronic throttle 
control is a safety critical system. They add some other 
terms of art that I don't think we need to get into, hard 
realtime. Then this figure that Dr. Koopman had shown may 
make a little more sense now, so I will just briefly explain 
it. 
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On the right, we have the combustion controls, we 
have a throttle valve that is controlled through a motor. 

The motor is doing the job of turning the knob on that hot 
water, we also have the fuel injection, that is the 
squirting of the fuel into the cylinder, and then we have 
ignition coil, which is charged up and then at the 
appropriate time creates a spark. 

The ECM in pink is the circuit board that has the 
two processors on it. And there is some explanation of 
kinds of thing that it does, but it does a lot more than 
this. You can see that it is monitoring the accelerator 
pedal, it is making sure you car doesn't stall by setting 
the idle speed, which can be different depending on whether 
you have the heat and air conditioning on, things of that 
sort . 

The cruise control, the transmission shifting and 
various over functions are taking place in there if you have 
an automatic transmission. Then this is showing the inputs 
to that. So, for example, the accelerator pedal sensors and 
other vehicle sensors that are used in that process. 

Q All right. So is the significance of this slide that 
NASA has reached the conclusion that this throttle control 
system is a safety critical system? 

A I think that is an important point. Yea. 

Q Now, based on all the things that you have done and 
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the analysis that you have done in this case, have you 
reached some conclusions that you will talk to us about? 

A Yes . 

Q is that the next slide? 

A Yes , it is. 

Q All right. Let's start with the first one at the 

top. And tell us about your conclusion. 

A So the first main conclusion is that the 2005 Camry 
electronic throttle control, the software os of unreasonable 
quality. It contains bugs, but that's not the only reason 
it is of unreasonable quality. And it's otherwise defective 
for a number of reasons. This includes bugs that when put 
together with the defects can cause unintended acceleration. 

Q As we go forward are you going to explain to us how 
those problems that you found will cause an unintended 
accel erati on? 

A Yes . 

Q Then you mentioned the code quality metrics, what do 
you mean about that? 

A So the code complexity and the McCabe Code Complexity 
is one of the measures of that. And the code complexity for 
Toyota's code is very high. There are a large number of 
functions that are overly complex. By the standard industry 
metrics some of them are untestable, meaning that it is so 
complicated a recipe that there i s no way to develop a 
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reliable test suite or test methodology to test all the 
possible things that can happen in it. 

Some of them are even so complex that they are what 
is called unmaintainable, which means that if you go in to 
fix a bug or to make a change, you're likely to create a new 
bug in the process. Just because your car has the latest 
version of the fi rmware -- that is what we call embedded 
software -- doesn't mean it is safer necessarily than the 
older one. 

So the metrics that I see in the source code that I 
will talk more in specific with you about, they predict that 
there are many more bugs. 

Q Are you also going to tell us about a conclusion that 
we see on the board related to the fail safes? 

A Yes. And that conclusion is that the failsafes are 
inadequate. The failsafes that they have contain defects or 
gaps. But on the whole, the safety architecture is a house 
of cards. It is possible for a large percentage of the 
failsafes to be disabled at the same time that the throttle 
control is lost. 

Q And you make that statement, but in practical terms 
what does that mean? 

A That means that the random hardware fault that can 
occur from time to time, the software bug that is latent, 
lurking, witting to happen can on the right day and the 
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1 right conditions can get through or knock down the failsafes 

2 that are in place. 

3 Q All right. And the your last comment here. 

4A So ultimately my conclusion is that this Toyota 

5 electronic throttle control system is a cause of UA software 

6 malfunction in this electronic throttle module, can cause 

7 unintended acceleration. 

8 Q And I know we will get to it later, but ultimately 

9 you have a conclusion that it also was the cause of the 

10 wreck in this case? 

11 A I do. 

12 Q All right. And we mentioned it here, we mentioned it 

13 several times, unintended acceleration. Do you have a 

14 specific definition for that? 

15 A Yes. I have simply adopted the definition that was 

16 used by NHTSA and NASA, which I think is a reasonable 

17 definition, which is if the vehicle is experiencing any 

18 amount of acceleration that the driver didn't want or 

19 purposely caused. And that comes in different flavors, of 

20 course. It could be that the car suddenly accelerated away, 

21 but it can also be that the car continued to go at the same 

22 speed even though you let off the accelerator. So I've 

23 cited that definition here from the NHTSA report that was 

24 published in 2011. 

25 Q All right. Now, Mr. Arora, who is sitting right back 
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here, is Toyota's software expert. And you reviewed his 
work, correct? 

A Yes, I have. 

Q Does he also use NHTSA's definition for unintended 
accel erati on? 

A No, he doesn't. 

Q All right. Let's go to the next slide and talk a 
little bit about NASA. 

A Before we go on, I just want to say that I also 
sometimes will refer to it as loss of throttle control. So 
if you lose the ability as a driver to control what is 
happening with that throttle valve, that is another way that 
I sometimes say unintended acceleration. You might see that 
on the slides, you might hear me say that. 

Q All right. Let's look at the next slide. Before we 

get into the details of the conclusions that you have here 
from the NASA report, NASA had a report, evaluated some 
vehicles, software and came up with conclusions, correct? 

A Correct. 

Q Have you essentially taken what they have done and 

built upon it? 

A Yes . 

Q Tell us what is significant about the portions here 

in this slide that you're showing us. 

A I was actually familiar with the NASA report and had 
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looked at it before I was ever engaged with these cases. 

One of the things that jumped out at me as an embedded 
software engineer reading the work of other embedded 
software engineers at NASA was that their ultimate 
conclusion was not from their analysis that a software bug 
or malfunctioning could not cause UA. 

They simply concluded that in the time they had 
they couldn't find the bug that caused UA, or a bug that 
caused UA. And, in fact, they sought a very narrow 
definition of UA. They thought -- they saw it, and they 
state this in the report -- only a bug that would open the 
throttle more than 25 degrees, not leave any, what are 
called diagnostic trouble codes behind as evidence later, 
and some other criteria. I'm not sure why they scoped it in 
that particular way. 

Q And we will talk about diagnostic trouble codes 
later, right? 

A That's correct. 

Q All right. This slide here, does it show some of 
NASA's scenarios that they postulated where a UA can occur? 

A Yes . 

Q Take us through it, please. 

A So NASA summarized, in particular on a table on page 
78 of their main report, a bunch of scenarios that they 
considered could cause UA. And they had ruled out a number 
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of them, but there are two rows left that they couldn't rule 
out. And that is what these paragraphs are about. 

The first row that they couldn't rule out is that 
the accelerator pedal has two sensors, redundant sensors. 

And the first one they couldn't rule our is if they both 
failed together, or were electrically entangled, became 
electrically entangled, then as a result there was no way 
for the system to detect that. 

So they worried, one, that that could cause UA. 

Then the second one they were worried about is what we will 
have talking about which is a systematic software 
malfunction in the main processor that is not detected by 
the monitor system, the monitor CPU. I think that is the 
main quote. 

Q Okay. So one of the proposed scenarios that NASA 
thought might could happen is that which you believe 
happened in this case? 

A Yes . 

Q All right, what else about this slide is important? 

A well, ultimately, you can see at the end there also 

NASA states clearly that just because they didn't find the 
bug, the proof, doesn't vindicate the system or say that the 
system is safe. NASA didn't say in their report that the 
system was safe. 

Q All right. And are you going to describe -- I think 
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1 in your next slide -- several of the defects that you found 

2 in Toyota's electronic throttle control system? 

3 A Yes. 

4 Q All right. Start at the top and describe them for 

5 us . 

6 A So we're going to be talking about these things in 

7 more detail. I want to kind of give you a preview of where 

8 we're going, if you will. So NASA falsely understood or 

9 misunderstood that all critical variables, or all critical 

10 values in that spreadsheet had a second copy, and that's not 

11 true. 

12 Q is that called mirroring? 

13 A That is mirroring. It can be called mirroring or 

14 echoing depending on precisely how you do it. But, 

15 generally, we can use the term mirroring. 

16 Q will we discuss that in more detail later? 

17 A we are. lust to be clear, what we found is that NASA 

18 had a misunderstanding here. There were actually critical 

19 values that were not mirrored. 

20 Q All right, what is next? 

21 A The other thing is that Dr. Koopman talked about how 

22 bit-flips can occur in the real world. There can be a one 

23 that becomes a zero or a zero that becomes a one, and this 

24 can happen inside integrated circuits or chips. And NASA 

25 was under the false belief that there was a protection 
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mechanism in there. Dr. Koopman gave an example of a parody 
bit, an extra bit of information, additional bits of 
information that were like a partial copy that indicated 
something was wrong. 

And that is also known as EDAC in NASA's report, 
E-D-A-C. It stands for error detective and correction 
codes. And so NASA didn't know that that wasn't there. It 
wasn't there in the 2005 Camry. And so if the bit-flip 
occurred, there would be no hardware mechanism to find it. 
And if it occurred in a critical value that was not 
mirrored, there would be no software protections against it. 

So the conclusion here is that there are critical 
variables in which bits could flip. Or there could be a 
software bug if you correct them. 

Q NASA, as part of their evaluation, looked 
specifically at the 2005 Camry, correct? 

A They did. 

Q And are you telling us that they were under the 
belief that the 2005 Camry had EDAC? 

A Yes . 

Q Does that make a difference in the analysis? 

A Yes . 

Q Does the 2005 Camry have EDAC? 

A No, it does not. 

Q How do you know that? 
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1 A we received additional information that NASA didn't 

2 have, we received information, a spreadsheet, that 

3 summarized -- it is one of the documents that I'm most 

4 familiar with this -- which is a spreadsheet that showed 

5 which vehicles, like Camry, which model years, like 2005, 

6 had hardware memory protection and which ones didn't. 

7 There was a sort of EDAC , not as much as NASA was 

8 talking about or NASA would employ in space, but there was 

9 one in the 2008 Camry, but there was not in the 2005 Camry. 

10 So later they put it in, but they didn't have it in the 

11 vehicle that NASA studied. 

12 Q And you're going to talk next about memory 

13 corruption? 

14 A Yes. So hardware bit-flip can occur. And NASA 

15 states that as well, and they were concerned about that, 

16 which is why they relied on the EDAC being there and the 

17 mirroring. But there were also bugs in Toyota's code that 

18 will have allow memory corruption to occur from a latent or 

19 just hanging around software bug from time to time. 

20 Q A hidden bug? 

21 A A hidden bug. That's right. One of those relates to 

22 stack overflow. NASA didn't realize that a stack overflow 

23 was a possibility, but our analysis shows that it is. And I 

24 will talk more about that. And also there are also software 

25 bugs. Now, NASA found bugs and said they found issues in 
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Toyota's code, but they didn't find the one or a one that 
opened the throttle 25 degrees and various other things. 

we found a set of bugs that specifically can cause 
memory corruption. So they're lurking there. And if they 
happen, then as a result of that, then the some critical 
variable could be -- could have a new value, for example, 
the throttle commend could become instead of opening 20 
percent opening 50 percent letting in a lot more air and 
giving the engine a lot more power. 

Q And you will discuss that in a lot of detail later 
right? 

A Yes . 

Q So is it, at least right now, memory corruption is a 
way that UA can occur? 

A That's correct. 

Q All right. And we're going to get into detail on 
these defects. But the thing that I wanted to ask you 
about, are these defects that you will discuss consistent 
with the opinions and testimony that Dr. Koopman gave us 
last week? 

A Yes . 

Q He talked to us about the process and rules and that 
sort of thing on how to create a safe system. Does your 
analysis for this case go deeper than what Dr. Koopman 's 
did? 
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1 A Yes. So Dr. Koopman was not able to see the source 

2 code, and so Dr. Koopman's analysis focuses on the science 

3 that underpins designing safe systems, that standards that 

4 are available to carmakers for making their car safe, 

5 whereas I support that by examining the source code and 

6 finding that those things weren't done. 

7 Q So where he couldn't tell us whether those problems 

8 that he saw caused Ms. Bookout's unintended acceleration, 

9 you're able to go into that detail analysis because of your 

10 review of the source code? 

11 A That's correct. 

12 Q All right. Let's go to the next slide? 

13 A So the ultimate conclusion from the presence of these 

14 defects is that the software could malfunction. And the 

15 most dangerous such malfunction would be if the car had a 

16 portion of its software that was working, and that part was 

17 running the combustion feeding air and fuel and spark to the 

18 engine at the same time that the part that the driver was 

19 interacting with through the accelerator pedal or the cruise 

20 control switches was not listening to the driver because it 

21 crashed or hung, like one application might crash on your 

22 desktop while another one is still running. 

23 Q And are the defects that you're describing here that 

24 can cause an unintended acceleration, can that occur when 

25 the cruise control is on? 
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A Yes . 

Q Can it occur when the cruise control is off? 

A Yes . 

Q And it is the same software defects that would relate 
to both? 

A Yes . 

Q Let's go to the next slide. You're talking about the 

software malfunctions here? 

A Yes. This just uses an analogy and makes the point 

that, of course, software malfunctions. And we see it all 
the time in our daily lives whether it your laptop or your 
desktop, sometimes you have to reboot things, restart 
applications, et cetera. 

It is a fact of life that software developers are 
well aware of, or should be well aware of that software 
malfunctions can occur. I don't know if you ever had the 
experience where is one app on your Smart phone is not 
working and the others are. And we all know, we are trained 
to reboot it. Just reboot it. Oh, you didn't get my phone 
call? well, maybe your phone is not taking calls right now 
because of a software bug. That can happen i n an iphone or 
an android. Even though your might be able to make outgoing 
calls, if one part of the software is not working, the rest 
is. So you reboot it and suddenly everything is fine. 

The 2005 Camry has apps. They don't call them 
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apps, they call them tasks. And so there are ^ tasks 
inside the engine. As an example, there is one task whose 
job it is to keep track of how fast the car is going. That 
is important, obviously, if you will have a cruise control 
feature because a cruise control needs to know not only what 
speed you would like it to be but what speed it really is. 

Q Let me stop you right there. 

MR. BAKER: Your Honor, my next question is going 

to involve some source code. So at Toyota's request, I 
think we need to clear the folks out of the courtroom again. 

THE COURT: is this going to be periodically, or is 

this the only time? 

MR. BAKER: I hope this is the only time. 

THE COURT: if not, I will just exclude everybody 

from this point on. You think this may be the only time? 

MR. BAKER: I will transition into our nicknames 

for it so we don't have to do it anymore. 

MR. BIBB: I think there is one other area that I 

noticed, but it is a long way from here in this slide show. 

THE COURT: Again, if you do not have source code 

access, please exit the courtroom. 

(whereupon, the courtroom complies.) 

THE COURT: You may proceed, Mr. Baker. 

MR. BAKER: Thank you, your Honor. 

Q (By Mr. Baker) You're talking about ^ tasks that 
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1 run this system, correct? 

2 A Correct. 

3 Q All right. Earlier we heard some testimony from Mr. 

4 Osawa, and he mentioned a couple terms that I believe are 

5 tasks names, and I want to ask you about those. He 

6 mentioned is that a name for one of these ^ tasks? 

7 A It i s . 

8 Q He also mentioned is that also the name of a 

9 task? 

10 A It is. 

11 Q All right. And in terms of do any of those 

12 characters have specific meaning to you or a programmer who 

13 is looking at this? 

14 A Yes. in Toyota's design, there were ^ tasks. And 

15 some of those tasks did things on a time basis. There were 

16 three of them, in fact. One of them that did something 

17 every millisecond, one of them that did a lot of stuff 

18 every milliseconds; and that's this one, and 

19 another one that did a lot of stuff, again, every g|| 

20 milliseconds. And those are known as the millisecond 

and | millisecond 

22 tasks. 

23 Those are the only tasks that were named quite like 

24 that. Most of the other tasks related to moving the 

25 combustion process at a certain speed that varied depending 
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1 on the engine speed, so it wasn't time based. And also 

2 there were some asynchronous things that happened separate 

3 from the engine speed, separate from the time, amount of 

4 time. 

5 Q And these two terms that we have specifically 

6 referenced here, are those source code terms to which Toyota 

7 has claimed are confidential and they don't want the public 

8 to hear those characters? 

9 A Yes. if you were to look at my report there, you 

10 would see every time I said it is blacked out. Every 

11 time I said it is blacked out. And other similar 

12 things are blacked out, and the same is true with the 

13 deposition transcripts from my testimony. 

14 Q And so for these ^ tasks that you referenced here, 

15 each one has a name like this similar? 

16 A well, as I said, there is only the three that have 

17 time-based names. 

18 Q in terms of our case here, are we going to talk a lot 

19 about ^^|? 

20 A we are. 

21 Q in order to avoid having to clear the courtroom every 

22 time we talk about it, do you generally talk about in your 

23 work as task X? 

24 A I do. I call it task X, letter X. 

25 Q So whenever we say task X, you're referring to this 
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specific task? 

A That's correct. 

Q For that specific task, can you tell us what 
particular functions that task has to perform? 

A I can't, because it is a very extensive list. I 
actually also refer to this tasks as the kitchen-sink task, 
because it does so much in the system. But importantly, for 
our purposes, it does throttle control; that is it selects 
the next throttle percentage, whether it should be 100 
percent, 50 percent, 20 percent. And it does that based on 
looking at the accelerator pedal position, whether the 
cruise it on. 

It executes also the cruise control code, so it is 
responsible both for turning on cruise control, maintaining 
speed of cruise control, and turning off cruise control. 

It also is responsible for many of the fail safes on the main 
CPU. we will talk more about that as well. 

Q we also mentioned DTC . what do those stand for? 

A DTC stands for diagnostic trouble codes. And most of 
those also are either in the millisecond task, task X, 

or they are -- they require its help in order to be 
recorded. These are codes that are recorded in your -- if 
you have ever taken your car to the dealer because the 
check-engine light was on and they read the computer and 
they told you that you have a back oxygen sensor or 
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something like that, that i s an example of a diagnostic 
trouble code. Many of them indicate there is a problem with 
a sensor or a that there is a problems with some other 
engine component. 

Q And in your Camry, is it this task X that has the job 
to either set or help set diagnostic trouble codes in the 
car computer, at least associated with what we will be 
talking about? 

A Yes. I won't say all of them, but most of them, the 
vast majority of them, will not be recorded unless that task 
X is doing all its job. 

Q You have gone through all these things, you told us 
this task has control over or performs, is it unusual for a 
single task to have so many tasks within it? 

A Yes. It is not a good software archi tecture. 

Q why is that? 

A in particular, combining the part of the system that 
does the calculation of the throttle angle with the 
fail safes and trouble codes is a well-known bad design. 

There is a pattern that people usually follow where you have 
a controller and you have a monitor. And so even within the 
software, it should have been architected so that the 
control of the throttle was separate from the fail safes 
related to the throttle and sensors that inputs them. 

Q Let me ask about that then. The jury heard testimony 
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1 about a brake override system. Are you familiar with that? 

2 A Yes. 

3 Q Wherein the accelerator is in certain condition, if 

4 you press the brake it will automatically cut the throttle. 

5 Are you familiar with that? 

6a I am. There is not one in the 2005 Camry, to be 

7 clear. 

8 Q Right. Do you have an understanding of the system 

9 that Toyota has since used? 

10 A Yes. I reviewed the one that they put into the 2010 

11 Camry. 

12 Q where is the function for that brake override? where 

13 is the task located, as you understand it? 

14 A Yes. So the brake override that is supposed to save 

15 the day when there i s an unintended acceleration is in task 

16 X, of course, because it is the kitchen sink. 

17 Q All right. And we will later in more detail about 

18 task death where a task just stops running, correct? 

19 A Yes. 

20 Q And I think your focus is going to be in on the death 

21 of task X? 

22 A That's correct. I don't think I will need to name 

23 any of the other tasks in order to talk about the rest. 

24 Q Just to followup your example on brake override 

25 systems, if Toyota's system were used, and task X died and 
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caused a UA, would brake override work? 

A No. 

Q why not? 

A Because you have software watching the software. So 
if the software malfunctions and the same program or same 
app that is crashed, is supposed to save the day, it can't 
save the day because it is not working. 

Q How would you fix that? 

A well, the right way to design a brake override, in my 
opinion, is to have it on an external chip. It is not just 
my opinion, it is also in a standard called EGAS (phonetic) 
for automotive makers. And in that design, you have a 
separate chip that looks at whether the driver is braking 
and whether the throttle is open. Does it make sense that 
you're braking but you are having to fight the throttle 
because it is open 50 percent or 100 percent? 

It would be relatively simple, and I will have 
explain later how Toyota could have done this back in 2002 
without any extra cost to the vehicle, that if you were 
braking and the throttle was stuck that there must be 
something wrong with the main CPU and it can reset. A car 
traveling at 60 miles an hour, a Toyota 2005 Camry traveling 
at 60 miles an hour, can reset its computer in about 11 
feet . 

So it's okay to reset the computer in order to 
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solve the problem. And that would, just like resetting your 
iphone, solve the problem. And Toyota had the means and 
could have done that, but they didn't do that in the 2005 
Camry. Even in the 2010 Camry, when they were responding to 
the NHTSA problems and investigations, what they did was 
software watching software. They didn't put a separate chip 
or have a proper brake throttle override. 

Q Have you covered everything on this slide that you 
want to talk about? I have a question if we have. 

A There is one thing that I want to talk about. I 
wrote there all of these tasks are meant to be running 
always. So I talked about task death a little bit, the idea 
that one app crashes, right? 

So what if you're driving down the road and you 
only now have ^ of these tasks working but your car seems 
to be operating normal? is that a good thing? No. Let's 
say that there are ^ tasks, each had assigned to it one 
programmer at Toyota or Denso. It is as if though one of 
them, you're not benefitting from the work of that m| 
engineer that day while you're driving down the road until 
you restart your car. It may cause a malfunction that is 
dangerous. It may cause a minor malfunction that you don't 
even notice. Then when you restart the car, it goes back to 
being a car. 

Q Let's talk a little bit about the operating system we 
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discussed earlier. Tell us -- I know you have your graphics 
here. The task that you just mentioned, would those be the 
tasks that we see at the top here? 

A Yes. I've illustrated those. I just call them task 
1 to N. Of course, N would be ^ in this case for this 
particular vehicle. The point of the slide is two things: 
First of all, to tell you that Toyota had an operating 
system in its cars, in its engines. And the other thing is 
for me to explain what an operating system is. You're 
obviously not running Windows in your engine, if you were, 
it wouldn't be able to reboot i n 11 feet at 60 miles an 
hour . 

So you are running a much smaller simple operating 
system, in this case, in this vehicle, it is called OSEK, 
O-S-E-K. And that operating system has a couple of jobs. 

One of those jobs is to provide helper recipes that all of 
the tasks need. The other job, which is critically 
important to the system, is it picks and chooses which task 
gets to sue the processor at any given moment. 

There is only one processor, one main CPU. You 
have ^ apps running on it. So the operating system 
performs a bit of magic where it time slices and selects, 

Oh, task 3 for a while, task 4 for a while, task X for a 
while, task 24 for a while, task 2 for a while. And that 
selection process is really the main job really of the 
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operating system. 

And I wrote up here that inside the operating 
system it keeps what are called critical data structures. 

And what I mean by that is since the operating system's job 
is to keep track of all of this, it is like a taxi cab 
dispatcher sending out calls; it needs to keep track of its 
charges, its tasks. So I think it is useful to think about 
the operating system as being a person with a set of 
three-by-five cards. 

On each three-by-five is written the task name or 
number, task one, and some notes about it like, Hasn't run 
yet, or hasn't run in a while, needs to run. Or task X 
currently using the processor. So -- and the operating 
system does its job. I have actually written an operating 
system and written about it in my first book and studied 
operating systems. 

inside it it is basically doing that data-keeping 
function, and so it is doing something like, well, this is 
the three-by-five card I have on a pedestal of the task that 
is currently running. And this is a group of them that I 
sorted by importance that need to use the processor when it 
gets a chance. And then these over here, they don't need to 
run for a while because it hasn't yet been eight 
milliseconds since the last time it started. 

So the operating system is shuffling these data 
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1 structures around, these three-by-five cards. And if in the 

2 process the cards get mixed up, or some of the notes on the 

3 cards become corrupted, then bad things can happen to the 

4 apps that are running on top, the tasks that are running on 

5 top. 

6 Q And as we go through this process, are you going to 

7 describe for us defects in the operating system? 

8 A Yes. 

9 Q is the operating system an important part of the 

10 design of Toyota's ETCS, throttle control system? 

11 A It is an extremely important part. It i s like the 

12 columns that hold up a building in an archi tecture . So the 

13 choice of what kind of operating system to use, and the 

14 choice of how that operating system is structured is 

15 critically important to the integrity of the system. Yes. 

16 Q We talked earlier about you have reviewed 2002 to 

17 2010 vehicles that included Camrys, the Lexus ES and the 

18 Tacoma, within that time frame, are there certain of those 

19 vehicles that all use the same operating system that Ms. 

20 Bookout's vehicle used? 

21 A Yes. Many of them used the OSEK operating system. 

22 Many of them used the same exact version of the OSEK 

23 operating system which means exactly the same source code 

24 and ultimately the same machine code. And then others that 

25 used OSEK used a version number of one or two versions off 
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that are substantially similar from that point of view. 

Q Here in your report that you did, did you do a 
chapter on operating systems? 

A Yes. The first chapter is on the operating systems. 

Q Did you provide a chart which shows which vehicles 

will contain the same operating system as Ms. Bookout's 
Camry? 

A Yes . 

Q Lets's go to the next slide. 

A Don't worry. I don't expect you to understand 

everything that is on here. 

Q You and I have looked at it before and I still don't 
understand . 

A And you don't need to. This is just a representati on 
of what we found with respect to those data structures, 
those three-by-five cards. So this is just a depiction of 
what we found inside the operating system when we looked at 
it to see how it kept track of which tasks needed to use the 
CPU and which ones and which ones were eager to do so, and 
which ones were using it. 

And it has this three-tier structure that is 
actually the same between the two different ones called 
Itron and one called OSEK operating systems that Toyota has 
used in these electronic throttle vehicles. But you can 
think of these as three-by-five cards about a task, and this 
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would -- I was going to say you can think of it as the notes 
on a three-by-five card, but my analogy would break there. 

So this is actually a sort of scoreboard, if you 
like, that keeps track of what importance the various things 
are that need to be done. 

Q is there defects in this operating system that you 
believe relate to unintended acceleration? 

A Yes . 

Q Take a look at the next slide. 

A So it turns out that Toyota didn't look at this 
operating system. And inside this operating system when we 
looked, we found that these critical data structures aren't 
protected in any way. 

Not only is there not a hardware protection against 
hardware random faults, but there is also no protection 
against either hardware faults or software faults, software 
bugs, causing corruption of this data inside the operating 
system. So you can actually see that this particular bit 
here that I flipped on the drawing from a one, which it used 

to be, to a zero, that will actually have the effect, a 

bit-flip there, will have the effect of killing one of the 
tasks . 

And now that task -- depends on how the corruption 
happens, actually -- but one thing that can happen is that 
task will never run again until you reboot the car, which 

***** T HIS TRANSCRIPT HAS NOT BEEN PROOFREAD ***** 



90 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 


generally speaking is it is taking the key and turning it 
off and turning it back on. if you have a push-button 
start, you actually have to get out of the car with your key 
on a remote before it will actually reset the processor. 

Q is that top line talking about a bit-flip where Dr. 
Koopman was talking about bit-flips but he was talking about 
from outside rays doing that? 

A That is one way it can occur. Another way it can 
occur is by a software bug. And the software bug could be 
inside the operating system or outside the operating system. 
And it could affect more than one bit at a time. A hardware 
bit-flips that Dr. Koopman talked about and that NASA talks 
about are often called single event effects or single event 
upsets. And very often they effect just one bit. 

But a software bug, of course, can corrupt a whole 
area of the memory or one bit or a collection of bits. And 
any corruption that occurs in here has the potential to kill 
one or more tasks, either temporarily or permanently. 

Q You mentioned early EDAC. Does EDAC come into play 
if it existed with some of the things that your are 
describing here? 

A It does and it doesn't, if there was EDAC, remember 
is like the parody bits, those hardware memory protections, 
if there was that, then we wouldn't have to worry -- might 
not have to, depending on how it is designed -- worry about 
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those single event electronic effects, EMI or Alpha particle 
strikes like Dr. Koopman talked about. 

However, if there was EDAC, this could still be 
corrupted by a software bug. So EDAC alone is not the 
answer here. 

Q And these things you're telling us can happen, how do 
you know that? 

A I know that because we simulated it in the code room 
using the Green Hill simulator that Toyota used. And we 
also simulated it in the vehicle, in multiple vehicles, 
Camrys . 

MR. BAKER: Your Honor, I know we're a little bit 

early, but we are about to transition into something that 
will take longer. 

THE COURT: we will take our lunch break now. 

Ladies and gentlemen, it is 11:45. we are in recess for an 
hour and 15 minutes or until 1:00. 

I would remind you: During the recess, do not 

discuss the case, and do not begin to form any opinions 
about the case. 

All rise while the jury exits. 

(whereupon, the jury exits the courtroom.) 

THE COURT: we're on the record, we're outside the 

presence of the jury, we're discussing the proposed 
deposition of Mr. Takimoto. The defendants have objected, 
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1 THE COURT: We are back on the record. The 

2 members of the jury are present, as well as counsel and 

3 their clients. Mr. Barr is still on the stand. 

4 I was thinking, I didn't remember if I swore 

5 you in earlier, but I did. I remind you, sir, you are 

6 still under oath. And Mr. Baker, you may continue your 

7 direct exam. 

8 MR. BAKER: Thank you, your Honor. Could you 

9 lower the light for us? 

10 THE COURT: Yes. 

11 MR. BAKER: Slide 19. 

12 Q. (BY MR. BAKER) All right, Mr. Barr. We left off at 

13 slide 19, and I think we were about to transition. 

14 You had mentioned, I believe, that you had done some 

15 software testing in the Code Room in Maryland, correct? 

16 A. That's correct . 

17 Q. And I think one of last things you said you 

18 mentioned you had also been involved with some vehicle 

19 testing? 

20 A. Yes. I wasn't directly involved with the vehicle 

21 testing. I wasn't there when the vehicles were tested, 

22 but what we had simulated in the Source Code Room was the 

23 tasks could die and so the operating system by these 

24 corruptions inside the critical data structures. And 

25 some testing was done by a gentleman named Mr. Louden, 
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1 using 2008 and 2005 Camry vehicles. 

2 Q. All right. And I think the jury's heard a little 

3 bit about that before. Were you involved in helping him 

4 do that process? 

5 A. Yes. I was involved in assisting from the Code 

6 Room. 

7 Q. All right. What was the purpose of doing the -- and 

8 I suppose they were software tests? 

9 A. Yes. 

10 Q. What was the purpose of running the software tests 

11 on the 2008 and 2005 Camry, generally speaking? 

12 A. Well, the Source Code Review had indicated both that 

13 task could die by the memory corruption, and that also 

14 that one of side effects of that would be that this — 

15 for example, that task died, that many of fail safes 

16 would be disabled. And so the purpose of vehicle testing 

17 -- in the room, of course, we didn't the real hardware. 

18 We could simulate the operating system, we could simulate 

19 the task to a certain extent running on the process 

20 server but it wasn't on the circuit board and it wasn't 

21 in the car. 

22 And so that testing was to perform the same testing 

23 and demonstration to determine what the fail safes would 

24 do, if anything, in response to this task death. 

25 Q. So Mr. Louden ran multiple tests on the '08 and '05 
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1 Camry? 

2 A. That's correct. 

3 Q. And all looking at how the software task made out? 

4 A. That's correct. 

5 Q. Was that reported in some fashion? 

6 A. Yes. The testing that he performed, he used data 

7 logging equipment to record, you know, things like the 

8 accelerator peddle position, both sometimes outside the 

9 car, what it looked like, electrically. 

10 And also inside the computer there was a tool that 

11 we had from Toyota called a tech stream. He was able to 

12 monitor certain memory locations inside the computer log. 

13 Ran to see, for example, whether the computer thought the 

14 brake was pressed, in comparison to whether the brake was 

15 actually pressed and things like that. 

16 Q. Was the data that he collected from these tests 

17 compiled into some documentation that people like you 

18 could take and read and use? 

19 A. Yes, in Mr. Louden ' s expert reports. 

20 Q. All right. And have you reviewed the data and 

21 reports of failure relating to the test that was done on 

22 the '08 and '05 Camry? 

23 A. I have. 

24 Q. Have you considered that information as part of your 

25 analysis in this case? 
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1 

A. Yes. 

2 

Q. In terms of talking about, from this slide, memory 

3 

corruption and task death, have you pulled the piece of 

4 

the data from some of testing that helps explain what you 

5 

are talking about? 

6 

A. Yes. 

7 

Q. Is that the next slide? 

8 

A. Yes, it is. 

9 

Q. Let's look at that. 

10 

All right. The title here is Example of Unintended 

11 

Acceleration. The first thing I wanted you to do is tell 

12 

us what it is we're looking at. 

13 

A. Okay. So we're looking at a bunch of different 

14 

pieces of data all plotted together in one graph. And 

15 

just to generally orient you, elapsed time that is being 

16 

measured across the bottom in seconds. So this 

17 

particular piece of the graph begins at time 80 seconds 

18 

on his clock and ends a little bit after 150 seconds. 

19 

maybe 155 there. 

20 

And then on the vertical axis we see the speed of 

21 

the vehicle. He was measuring that in kilometers per 

22 

hour. And so we're seeing that in kilometers per hour. 

23 

I've made some notes here in miles per hour to make it a 

24 

little easier to understand. 

25 

Q. Is a plot of some of data that Mr. Louden collected 
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from some of his testing? 

A. Yes. 

Q. Can you walk us through it and explain to us what 
we're seeing here? 

A. Sure. I've tried to make clear what the different 
colors of the data mean. So for example, the speed of 
vehicle is this blue line. The throttle angle is 
measured here on this red line. And then there is, 
whether the brake is on and off is a binary signal, on or 
off. And so it looks like it goes way up to the top of 
the graph. It just really means the brake was not on, 
the brake was tapped and the brake is on solid. 

Q. Just so I'm clear, where we see these intermittent 
green lines, is that somebody tapping the brake? 

A. That's correct. 

Q. And when we see up here at the top, it's a long 
piece. That means the brake is applied at hilt? 

A. That's correct . 

Q. Okay. What were you simulating in this? 

A. So you can see there is a vertical line here at 

time, just before 100, maybe 98 seconds. And that is the 
marker for the point in time it tests when this task-X 
was killed and the mechanism of killing it was to flip 
one bit inside the operating system. So those working 
inside the Code Room indicated particular bit to flip to 
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Mr. Louden. 


2 Q. All right. Let me back up and ask you additional 

3 questions. In this testing that was done on the vehicle, 

4 was the test required to go in and simulate some 

5 occurrence in order to have task-x data? 

6 A. I'm sorry. I don't understand your question. 

7 Q. Did it have -- did the person that run the test have 

8 to make the task die? 

9 A Yes. So using the same tech screen, laptop 

10 basically as Toyota test equipment hooked up to the car's 

11 computer, he was able to simulate the bit flip. Of 

12 course we can't — you know, as scientists we want to 

13 test something, we need to be able to make it happen, we 

14 need to make it happen in no time. We can't just wait 

15 around for that particular bit to flip, which may take a 

16 long time. 

17 So he was able, using that same computer, to, you 

18 know, enter a command and cause that bit to flip. And 

19 then that would have the effect of killing that task in 

20 the vehicle. And then the rest of data is the data 

21 collection of cars ' s behavior around then. 

22 Q. Does he drive this car on the road? 

23 A. No. He's doing it on what's called a dynamometer. 

24 In Maryland, anyway, when you get your car's emissions 

25 tested you put your car on a dynamometer, where the front 
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wheels -- the drive wheels are turning and the car's not 
going anywhere. He had a similar arrangement. 

Q. All right. And so, this vertical line, I'm 
estimating, is somewhere close to 100 seconds into that 
test, he's able to, using a computer, to kill task-x? 

A. That's correct. 

Q. When you say kill task-x, what does that mean in 
terms of the car's operation? 

A. Well, the graph is showing that at that time you 
have of the | tasks alive, but you don't have this 
task-x running. And we're seeing what happens to the 
vehicle, which is a loss of throttle control subsequent 
to that . 

Q. And in a previous slide when you were talking about 
memory corruption, killing task-x and causing a UA, is 
that an example of that? 

A. That's correct. 

Q. Tell us what happen after the task was killed. 

A. After the task was — so the setup here with this 
particular test was that the car had been run in the 
time, obviously, before 80 seconds and using the 
accelerator pedal, Mr. Louden had gotten the vehicle up 
to this 68 miles an hour and he had set the cruise 
control. So now he had the car driving at cruise control 
at 68 miles an hour. 
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And then he canceled the cruise control and a little 
bit later here at this inflection point, the bottom of 
blue line, he hit the resume button on the cruise. So 
it'd try to go back to the speed of the vehicle that was 
previously set, which was about 68 miles an hour. 

So if it starts at — I didn't calculate there in 
miles per hour, but you can see the inflection point at 
the bottom in the blue, it starts below 68 miles an hour. 
And then of course, the car begins to accelerate because 
the car is operating normally. 

What happens is that the task death caused in this 
particular test. Because that task was not there when 
the vehicle actually reached the set point of 68 miles an 
hour, it should have closed the throttle more and slowed 
the vehicle -- or not slowed the vehicle, but kept the 
vehicle going at 68 miles an hour. Instead, the throttle 
remained open and the vehicle continued to accelerate. 

And you can see that this total length time with the 
throttle open, letting in air, and the car accelerating 
to past two and past the cruise set point, is 
approximately 30 seconds. So from time, about 100, until 
a time, about 130. 

Now, Mr. Louden, as I understand it, at this point 
got nervous at 90 miles an hour because the vehicle was 
on the dynamometer. And so at that time he pressed on 


THIS TRANSCRIPT IS NOT PROOFREAD 



11 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 


the brake solidly and continuously this whole time. 

There's a couple of effects you should be aware of 
because it was on the dynamometer. First of all, is that 
on a dynamometer, there is a lot of momentum in the 
dynamometer itself. So when he started braking there and 
a fail-safe, called a brake echo, kicked in, at that time 
the vehicle did not decelerate as fast as it would have 
on the road. 

But what we see here is that there was an unintended 
accelerate or a loss of throttle control that spanned 
from time 98 until about time 129 when he pressed on the 
brake solidly at that time. 

Q. You mentioned at -- was it at this point that the 
fail-safe kicked in with the brake applied? 

A. Yes. The -- at -- it would be within that, between 
that 129 and 130-second gap. 

Q. All right. So we see in some of these green lines, 
he just taps the brake and the fail-safe did not come on? 
A. Yes. That's correct. 

Q. All right. And now, this is also from the 2008 
Camry ? 

A. Right. So this was the first testing that was 
performed was on a 2008 Camry. 

Q. You mentioned earlier that you had looked at other 
cases or been involved in other cases, correct? 
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1 A. Yes. 

2 Q. One of them was called Van Alfen? 

3 A. That's correct. 

4 Q. And I think the jury heard about that one. Another 

5 one was called St. John. Were you involved in that one? 

6 A. Yes. 

7 Q. In St. John, it involved a 2005 Camry? 

8 A. That's correct. Same model as this case. 

9 Q. In both cases, were you doing the same analysis that 

10 you're doing here? 

11 A. In terms of the overall analysis? 

12 Q. In terms of looking at UA? 

13 A. Yes. 

14 Q. And evaluating the software code? 

15 A. That's correct. 

16 Q. All right. Was Van alfen the first case in which 

17 you had an opportunity to perform this type of analysis? 

18 A. Yes, it was. 

19 Q. And in that case, did you write a report for the 

20 Court that outlined your opinions in that case? 

21 A. Yes. 

22 Q. And were St. John and Van alfen pending in what the 

23 judge has already told the jury, was an MDL or big 

24 federal litigation in California? 

25 A. Yes, that's correct. 
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1 Q. All right. And were both cases being supervised by 

2 one judge? 

3 A. Yes. 

4 Q. Judge James Selma? 

5 A. I don't know his first name. Judge Selma. 

6 Q. All right. Very well. After you wrote your report 

7 in Van alfen, did you come to realize that you had made 

8 an error relating to the brake echo? 

9 A. Yes. 

10 Q. All right. Tell me about that. 

11 A. Well, at the time that I wrote my report in July of 

12 2012, in the Van alfen case, I did not understand that a 

13 portion of this behavior that occurred right here was a 

14 fail-safe in the second CPU, in the minor CPU. And that 

15 was, in part, because Mr. Louden did not realize that the 

16 throttle had been cut at 129 there. He saw the engine 

17 stall at 132 . 

18 And additionally, it related to some source code 

19 that I had been provided just in the final weeks of my 

20 report writing. And that -- I made an error in my 

21 analysis of that code the first time. 

22 Q. And once you realized there was an error, did you go 

23 back and look at it? 

24 A. Yes. As soon as I became aware of that, which was 

25 in late September of 2012, within 10 days or so, I issued 
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a supplemental report, reviewed the additional code and 
filed it in the same case. 

Q. So you ultimately corrected your error? 

A. That's correct . 

Q. And the source code that you were looking at when 
this error occurred, was that the source code from what 
we've called the monitor CPU? 

A. Yes. The ESPB-2 monitor CPU. 

Q. And in the time frame there where you were looking 
at it, had there been a delay in producing that software 
code from Toyota? 

A. Yes. 

Q. Was there also a problem with getting the proper 
tools, and I may be using the wrong word, to read it? 

A. You're not using the proper terms. The source code 
for that ESPB-2 chip, despite being asked for much 
earlier, had not been produced until about three weeks 
before my report deadline. That was about -- that was in 
late June. So that was about -- almost six months after 
the rest of the source code for the main CPU had been 
produced . 

And so I had -- while I was preparing, of course, my 
full report, which is about the same size, to analyze 
this new code that had come in, within about three weeks, 
and write a report on that . 
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And additionally, Toyota only provided the source 
code and they did not provide the tool that went with it, 
called the assembler. This code is written in assembly 
language, which is a harder to read human source code 
language, more machine-like. And they were using one 
that needed a special compiler called an assembler and 
they didn't produce that or it's user manual. And so I 
erred in my analysis on the basis of not having that 
manual or that tool. 

Q. All right. And it wasn't an error in reading the 
code. You just hadn't read that part of the code yet, is 
that right? 

A That's correct . The error related to something 
called a preprocessor directive which stemmed from not 
having the -- I made a logically reasonable decision and 
I consulted with my colleagues on making that decision. 
But without that actual tool we didn't have a definitive 
answer . 

Q. And did Judge Selma ultimately allow you to 
supplement your report? 

A. Yes, he did. 

Q. And did he ultimately conclude that part of the 
reason that you reached that error was due to a delay in 
production of software by Toyota? 

A That ' s correct . 


THIS TRANSCRIPT IS NOT PROOFREAD 



16 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 


Q. Is there anything else about this particular slide 
you wanted to tell us? 

A. Yeah. I just wanted to -- this is one example from 
the vehicle testing. And I just want a make a few points 
about and it foreshadows some of other things we're going 
to talk about. 

First of all, is that this testing, although it was 
done on a dynamometer, is representative of what would 
happen in the vehicle on the road if you resumed cruise 
control and task-x was dead at the time. It would exceed 
the speed of your planned -- you know, set speed. And it 
would not, in this particular scenario, begin to correct 
anything until the driver acted. 

So the driver would have to realize that the car had 
gone above the 68, maybe much above the 68. And then 
when he stepped on the brake an action was taken in that 
particular scenario. 

This testing confirmed that -- so this was related 
to cruise control. But we've also confirmed that during 
this time the accelerator peddle is not responsive. So 
there is two ways you can tell the car how fast you want 
to go, one is the cruise control buttons and one is the 
accelerator pedal. And neither of them works during this 
dead task-x time. 

The other thing is that this ended, this particular 
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1 test ended when the driver stepped on the brake. 

2 However, we have confirmed in other vehicle testing that 

3 I'll talk about later, that if the incident begins with 

4 the peddle, brake peddle pressed at all, even lightly, 

5 then the unintended acceleration will continue, 

6 potentially, forever unless the driver tries the risky 

7 thing of letting go of the brake while the car is driving 

8 away with him. 

9 Q. So in other words, if you're driving down the road 

10 and you put your foot on the brake to slow down, for 

11 whatever reason, during that time period task-x is where 

12 it actually dies, the vehicle starts to accelerate. 

13 You've got to actually back off the brake and try and 

14 catch it? 

15 A. That's correct. Which is both counter intuitive 

16 because your car is zooming away and you have to let go 

17 of the brake. And it's also dangerous because as you let 

18 off the pressure of the brake, at least you were applying 

19 some mechanical pressure, but as you let off the car 

20 speeds up. And so that may increase the risk in the 

21 short term, at least, before this fail-safe would take 

22 effect. 

23 Q. And your foot on the brake, as you described, and 

24 your vehicle begins to accelerate while you're coming 

25 back off the brake, does that actually give you the 
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impression that the vehicle was accelerating? 

MR. BIBB: Objection. Leading. 

THE COURT: Sustained. 

MR. BAKER: I'll move on. Your Honor. 

Q (BY MR. BAKER) Have we covered this slide? 

A. Yes. I think so. 

Q. All right. We talked about memory corruption. Is 
this talking about it in any particular way? 

A. Yeah. So we've talked about the memory corruption 
that can happen and we've talk about some of the effects 
that that can have . 

What this talks about is different ways that the 
corruption itself could happen, different types of 
software bugs, probably more detail than you wanted to 
know, but I wrote a whole chapter called software bugs in 
Toyota's code, and this slide summarizes the types of 
bugs that were found in Toyota's code that could cause 
bits to flip to memory tp become corrupt. 

Q. Could you describe each one of the for us as you 
have listed here? 

A. Yes. The first type of software defect is a buffer 
overflow. This is where you have a region of the memory, 
let's say 100 bytes of space that's reserved for a 
particular buffer storage area. 

If the software contains a bug that writes past the 
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100 bytes, say, 101 bytes, that will obviously override 
whatever is the next thing. I think Dr. Koopman gave an 
example where, you had a notebook and you got to the back 
of the notebook and you accidentally wrote on top of the 
other pages. It's that kind of thing where you have 
another variable or another thing being stored and your 
code accidentally overwrites it and now it can take on a 
new value. So that is a buffer overflow. 

Q. All right. What is — and do you find that to be a 
defect in the '05 Camry? 

A. Yes. The 2005 Camry code contains at least one 
buffer overflow. 

Q. Now, what's an invalid pointer? 

A. An invalid pointer D reference is if the -- quite 
technical. But if you have in one cell of your 
spreadsheet the information about the location of another 
cell in the spreadsheet. Let's say, on your spreadsheet 
it says cell E-5, a pointer is like that. In the source 
code it says, I'm not what you're looking for, but here's 
the address that you're looking for. That's a pointer. 

If you, instead of going to cell E-5 you 
accidentally to cell A-l because you've used the wrong 
pointer, then you will write over somebody else's memory, 
some other part of the source code. 

Here, the defect in the 2005 Camry is that there are 
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many places where pointers are de-ref erenced without 
checking them to be valid. And that is something that's 
important to do in the safety critical system, is to 
check that they are valid. 

So if, for example, one of those pointers became 
corrupt, then it would cause a chain reaction of 
additional damage to the memory. 

Q. What is a race condition? 

A. A race condition is a subtle timing bug. Toyota 
uses the term task interference, and on that basis NASA 
also refers to task interference. You heard about the 
10,000 global variables. You can imagine that one of 
those global variables is the balance in your checking 
account. Suppose there is two of you who each have a 
checkbook or checks from that account. If you are near 
the bottom of your bank balance and both of you write 
checks, you're going to end up with an overdraft 
condition in the bank, but also it's not clear -- there's 
a race it's not clear which one of you is going to get to 
clear the check and which one of you is going to get to 
balance the check. 

There's something similar that can happen in 
software which is that you have two or more tasks, like 
two tasks as having two checkbooks and they're both 
referring to the same both global variable or same cell 
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in that spreadsheet, and if they're both writing at close 
in time, they can actually step on each other's toes. 

And it could be that one of them gets its answer there, 
or the other one gets its answer there, or together they 
corrupt and damage it to create a third value. You don't 
get a check balance, in this case you get a corrupt 
memory . 

Q. And you found that defect to exist if the '05 Camry? 
A. Yes. 

Q. Nesting schedule or -- nested schedule or unlock, 
what does that mean? 

A. A nested schedule or unlock is a very bad thing. 

The use of -- it's complicated to explain again. I 
promise this is a last slide about these things. But in 
nesting schedule unlock is, one of the ways you prevent 
corrupting these data locations that are used by multiple 
tasks is you tell the operating system, hey, while I'm 
updating my checkbook balance, don't let the other -- 
it's like calling your friend and saying, don't write a 
check, I'm about to write a big check for the rent. 

That's a version of that in the software where you tell 
the operating system, while I'm doing this, don't let any 
other tasks switch and take over. Let me finish my job 
and then when I'm done then you can give the processor to 
someone else. You ask the processor please don't let any 
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other task to run until I'm done, and then briefly, maybe 
just a few instructions later you tell the operating 
system, okay, I'm done updating that variable, it's okay 
for other tasks to run. It's called a scheduler or 
locking . 

It is a bad practice that is in Toyota's code to 
lock the scheduler, tell the operating system to lock, 
and then a short time later lock it again. And it's 
particularly dangerous with the operating system that 
Toyota's using because when the first of those to finish 
unlocks, it's like someone going to a deadbolt on your 
front door and you lock, someone else comes along, locks 
it again, no change, right? But the first one of you 
unlocks it actually chances the security state. 

The same thing inside the operating system, if you 
have nested call to the operating system to lock, the 
first unlocker is going to create race condition. It's 
going to create an opportunity, a time window through 
which race conditions can occur. It won't happen every 
time. If it happened every time, it would get in the 
vehicle testing in Toyota's factory. It happens rarely 
because it's a subtle time-related bug. It depends on 
sort of the stars aligning in a bad way. And those kinds 
of bugs are exactly the kinds of bugs that I'm using to 
looking for and finding in imbedded software. And we 
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1 found those types of bugs in Toyota's code also. 

2 Q. Can any one of these cause memory corruption? 

3 A. Yes, any one of these besides themselves can cause 

4 memory corruption. 

5 Q. The unsafe casting? 

6 A So unsafe casting is where numerical values can 

7 become inadvertently rounded and take on new numeral 

8 values. Give you an example of this. One of the bugs 

9 related to this is in Toyota's code. It is possible for 

10 the software on the main CPU, although the actual car is 

11 supposed to have its engine move -- you know about RPMs 

12 and tachometer, the car is supposed to go from zero RPMs, 

13 revolutions per minute, to in this case a maximum of 6400 

14 RPM, that's the red line. We're above the red line where 

15 it will stop. And along the way there is all these 

16 different values of RPM. Well, those are okay in the 

17 software, but due to a casting bug it is Toyota's code, 

18 is is possible for that value to be become negative and 

19 there's something like 100 parts of the code, that look 

20 at the end engine speed and they could become very 

21 confused if the value went negative. And it could also 

22 become very large like 13,000 RPM which could confuse the 

23 software in a different way. 

24 Q. And last one stack overflow? 

25 A. So a stack overflow is a very dangerous problem 
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1 

where, it's like a buffer overflow but it's a very 

2 

special buffer. It's a buffer that all the tasks use to 

3 

keep traffic of their internal decision making and keep 

4 

notes for themselves about what they were doing when the 

5 

processor was taken away from them the last time. 

6 

And that stack is of a set size. In Toyota's it's 

7 

about four kilobytes, very small region, and if that 

8 

buffer overflows then you end up overwriting whatever ' s 

9 

beyond it in memory. 

10 

Q. All of these defects that you found in the '05 

11 

Camry? 

12 

A That ' s correct . 

13 

Q. And all of them can corrupt memory? 

14 

A. That's correct. 

15 

Q. Why is that memory corruption is so significant? 

16 

A. Well memory corruption is so significant because 

17 

it's a memory corruption that can cause a task death and 

18 

task death can cause in a general sense unpredictable 

19 

results, but in a specific sense, as with task X, cause 

20 

loss of throttle control and also a disablement of a 

21 

number of the fail safes. 

22 

Q. We talked about earlier some of your books. And one 

23 

of them was a dictionary. And was that an effort to 

24 

define certain terms that are used within the software 

25 

industry? 
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A Yes . 

Q. Is one of the terms that you defined in your book 
spaghetti code? 

A . It is . 

Q. Let's go to the next slide please. Tell me 
generally what spaghetti code means in your industry? 

A. Well, in a nutshell it means that the code is very 
difficult to read and maintain. You heard Mr. Ishii say 
that NASA had trouble reading Toyota's source code. That 
wasn't to do with them not following NISRA, it's because 
it was badly written and badly structured source code. 

And that's spaghetti. Code spaghetti code is -- I picked 
this picture of a very complicated electrical wiring 
intersection because I think it aptly demonstrates what 
spaghetti code is like. 

Now I have to look at source code and I'm looking at 
this variable name and this function name and things of 
that sort, but imagine your job was to go fix the phone 
line that's out at Apartment 12 in that configuration. 
That's what spaghetti code is like. And when you go and 
find it, you may disrupt or you might tangle two wires 
together and cause the phone service to break in another 
department. And that's what toyota's engineers are 
dealing with their source code and that's what they're 
referring to when they call it spaghetti like. 
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Q. When you say source code that is developed at one 
time and then you continue to add onto as time goes on, 
rather than starting anew, can you end up with a 
spaghetti code? 

A. Yes. 

Q. Do you have any idea if that's the case in terms of 
Toyota? 

A. Yes. 

Q. What did they do? 

A. The way I understand the progression with Toyota is 
mostly through what I see in the source code evolving 
from year to year, and also what I read, for example, 
from Mr. Ishii's deposition. I've read more of it than 
what I saw here. But he talked about the time frame. He 
was there the whole time. 

Initially they didn't have electronic throttle 
control, they didn't have an operating system, they 
didn't use the C programming language. They switched 
from assembly language to C. They added an operating 
system. They added electronic throttle control. And 
they were all the while increasing the amount of 
complexity and intertwinedness of all this source code. 

Q. You were here for Mr. **Something deposition this 
morning? 

A. Yes. 
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1 Q. And did you hear the discussion about one of the 

2 documents between NHTSA and the Toyota employees about 

3 updating the power train software? 

4 A. I did. 

5 Q. Have you actually reviewed that document? 

6 A. I have reviewed that document, that's right. 

7 Q. And in that discussion did Toyota employees refer to 

8 their software as spaghetti like? 

9 A. Yes. 

10 Q. And did you create a slide about that? 

11 A. I did. So these are all quotes from that document. 

12 Q. And here it discusses activities to improve the 

13 status like -- the spaghetti like status of engine 

14 control application were started, is that correct? 

15 A. That's correct. 

16 Q. Is this the type of software that's used to help 

17 control the electronic throttle control system based on 

18 your review of the document? 

19 A. Yes. 

20 Q. Is there anything else you want to point out in 

21 terms of this document? 

22 A. Well, the document refers to first of all that the 

23 power train engine code is -- which is another name for 

24 the UCM engine control module. That's where the power 

25 comes from. It also refers to other problems with 
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Toyota's process, such as that there are some of the C 
source modules don't have specifications and have 
specifications -- specifications or design documents that 
say how it's supposed to work. In some cases the design 
documents don't exist, and in other cases the design 
documents say something different than the code, so which 
is right? 

Q. All right. Let's go to the next slide. Are there 
several type of spaghetti code? 

A. There is two basic types of spaghetti in source 
code. One is what I'll call data flow spaghetti, that 
really refers to having all the different, you know, 
those couple of thousand modules, files of source code 
all being interconnected with each other, which is a bad 
architecture, through global variables. 

For example, so when NASA says that -- and I can 
confirm that Toyota's source code has over is 11,000 
global variables, they are saying that it is greatly 
intertwined in such a way that spaghetti — the data — 
if you want to follow a particular path, you know, where 
does the accelerator signal go, you have to trace through 
multiple files and multiple tasks to see where that data 
goes. And they're all linked together with these global 
variables. Some of which are 25, 30 characters long and 
some don't have vowels and some -- two of them are 
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identical, except one has a P and one has a D, or a P and 
a B . 

Q. And just remind us, what is a global variable? 

A A global variable is one of those ingredients in the 

recipe, but it's being used by multiple recipes. So an 
example of that would be the global variable that tells 
the combustion part of the software how wide open the 
throttle should be, should it be 10 percent open or 
should it be 100 percent open. That's a global variable. 

Another global variable is the one that I referred 
to earlier that keeps track of how fast the engine is 
going. Is it 2,000 rpm and 3,000 rpm. And when those 
are being referred to from multiple places, not only is 
it spaghetti, but also increases the probability of 
chance of race conditions and task interference. 

Q. Is there in your industry a standard for how many 
global variables you should use? 

A. Well, it's not an absolute science with that. 
Certainly, you should not be using 10,000. Certainly you 
should not be using 1,000. The academic standard, as Dr. 
Koopman said is zero. In practice a small number of 
global variables may exist in some well structured 
programs, but generally a very small number. 

Q. And what is the next type of spaghetti code? 

A. There is also control flow spaghetti. So here the 
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spaghetti that you have within a recipe, it's greatly 
internally obligated. That's like picking up a recipe 
book and you can't follow it. You can't figure out, you 
know, what am I baking at this point, what step am I on. 
That happens sometimes in source code when one function 
-- remember, we looked at function earlier, a larger of 
one function, instead of fitting on one PowerPoint slide, 
takes 20 pages of printout just to look at that one 
function, and inside there's all these different cases 
and ifs and tests and looking at this variable, looking 
at that other variable. It's like a very complicated 
recipe that you're not sure what you're going to get when 
you get to the other side. 

Q. You got down here at the bottom you talked about 
testability and then you talk about scoring of greater 
than 50. The greater than 50, what are you referring to? 
A. So, I wrote a report chapter called Toyota's code 
complexity in which we produced a large number of tables 
using some static analysis tools to tell us how complex 
is each function that's in the source code. So the tools 
give a score and it's based on the number of different 
ways you could possibly go through that function. The 
number of different sub recipes you might imagine. So 
the number of different possible recipes you can make 
from that one. 
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And this actually is something that is useful to 
software developers generally. If you are, like Dr. 
Koopman talked about going to a company and assessing the 
quality of their product. If you run a tool like this 
and it spits out code complexity numbers for each 
function that will direct you to the ones with the 
highest score are the ones most likely to contain bugs. 
And so if you're hunting a bug, one of the things you can 
do is go and clean up those parts of the code. 

And my organizations that I've consulted with 
maintain a practice where they will not release a product 
if it has a code complexity of any function bigger than, 
a typical number is 30. Toyota's code actually has 67 
functions that score over 50, which has been assessed as 
an untestable score. What that basically means is that 
this one little recipe within this bigger complex 
electronic throttle control system, just to test that one 
little recipe in the factory when you make the car, you 
would have to test at least 50 different vehicle states 
and software states. You would have to test all 50 and 
you would have to have a detail documented plan that 
said, here's what I'm going to do to test path one. 

Here's what I'm going to do to test path two. Test path 
three, et cetera. 

And there are actually design techniques and 
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processes called code coverage analysis. Where you try 
to make sure that the test you run on your product are 
actually going through every one of those lines of code 
and every one of those possible halves. I see no 
evidence that Toyota did that. And particularly not for 
these untestible functions. 

Now, within those 67, there are 12 in the 2005 Camry 
that have over 100, which is assessed at a level of 
unmaintainable, which basically means, if you read the 
papers, that above 100 it becomes so difficult to go in 
and fix a bag, that every time you fix bag, you make a 
new bug. So you've got this very buggy code, it's hard 
to test, and you go in and make a change and you break 
something . 

And one those 12 unmaintainable functions is the 
approximately 1,300 line functions that performs the 
calculation of mathematics to decide how open to make 
that throttle. And that's an area that NASA was very 
interested in, and in fact tried to simulate and could 
not simulate to its satisfaction and found that Toyota 
not only did it not have a test plan to test all 146 
paths through there, but did not also have a simulation 
of it like NASA wanted to run. 

Q. Throttle angle function, is that the function that 
determines how open the throttle's going to be while 
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1 you're running the car? 

2 A. That's right. That's the function that takes as its 

3 input the accelerator contribution, the cruise control 

4 contribution, the idle speed contribution and all the 

5 other subtle ways that the throttle need to be trimmed 

6 are all taken into account in that. To produce one, 

7 ultimately one angle, like 50 percent or 30 percent. 

8 Q. Does that function have to work with task X in order 

9 to run the car? 

10 A. Yes, that function is executed by task X. It's 

11 among the kitchen sink of things that it does. 

12 Q. Let's go to the next slide. You mentioned stack 

13 analysis earlier, is this a more detailed explanation of 

14 that problem? 

15 A. Yes. We're going to talk about stack. 

16 Q. Let's start at the top? 

17 A. Okay. So we did an analysis of Toyota's stack. And 

18 the first thing I should probably explain is what a stack 

19 is. So I mentioned that that if these tasks and 

20 they're switching back and forth taking turns with the 

21 processor, the stack is both how when we are running they 

22 pass information from one recipe to another. If one 

23 recipe calls larger of -- to compute the larger two 

24 numbers, it passes information through the stack and gets 

25 the results back through the stack. 
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But then also it holds that information on the stack 
in memory in that area temporarily while the processor 
runs a different task and then switches back. And so 
this stack is a very important data structure that is 
used by all the tasks. And the operating system allows 
them to use it . 

And the programmers have to pick the size of it. It 
has a finite size. It's just block of memory, contiguous 
block of memory. 

So actually in Toyota's design for the 2005 Camry 
there are two stacks. One is a stack on the right that 
is specific to task X; the other is a stack on the left 
that is for all the other tasks. And also there is also 
something called interrupt service routines. Kind of 
like tasks, they complicate my explanation, so I'm mostly 
ignoring them, but they are abbreviated ISR for interrupt 
service routine. And you see those reflected there as 
well . 

And so what you have on the left is a depiction that 
every moment in time in the car's operation the stack has 
a fixed bottom address, and some processor and some 
designs it's zero in memory, and then is has a fixed top 
address or end address. And in this case I've depicted 
it as growing up to 4K, 4096 bytes, and then it also as a 
current address or a stack pointer, which points to where 
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the system is on that. 

And so we performed an analysis called a worst case 
analysis, which is a process whereby we assess if all the 
tasks are using the stack simultaneously, which can occur 
from time to time, will they explode beyond the stack 
potentially and overwrite what's passed it. 

NASA was interested in this subject and Toyota 
provided them an answer, which was that the stack was 
only utilized at a worst case of 41 percent, 1,688 bytes. 

What Toyota didn't know apparently, and NASA 
understood, is that -- NASA misunderstood therefore, is 
that the actual worst case is 94 percent. And that's not 
including something called recursion. NASA's spent a 
great deal of time talking about Toyota's use of 
recursion, and which could because the stack to overflow. 

And in fact, we don't know how much memory could be 
consumed by the recursive function — recursive function 
is a recipe that culls itself. Like in order to compute 
the larger of 67 an 65 let's cull ourselves on the larger 
of 66 and 65. That's not how that function works, but if 
you can imagine if it culled itself, it could do it many 
times. And there are some recursive functions in 
Toyota's source code, which is not appropriate in a 
safety critical system. 

And the NASA report reflects that inappropriateness. 
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but NASA did not realize that the recursion was on top of 
94 percent. They thought it was on top of 41 percent. 
Making matters worse, if the stack overflows in the 2005 
Camry, the next thing in memory is the critical data 
structures that are not protected inside the operating 
system. To if you have a rare stack overflow, the first 
thing that is going to get damages are those 3 by 5 cards 
that tell the operating system what to do. 

Q. So if in using this the tasks end up running past 
the allowable memory, it then moves into what memory is 
being used by the operating system? 

A. That just keeping on scribbling. 

Q. Does it overwrite things that are going on with the 
operating system? 

A. Right. Those are the critical data structures like 
the three tears of keeping track of what's going on with 
each task and which task to run next. 

Q. Does that cause memory corruption? 

A. Yes. Obviously, the stack overflow itself causes 
memory corruption. The corrupted data is this 
unprotected operating system data and a side effect of 
that can be task death. 

Q. Is there any other information we need to know about 
this slide? 

A. Yes. Specifically recursion violates a MISRA C 
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rule. So had Toyota followed MISRA-C, which is an 
automotive industry subset of the C language that's safer 
and specific for the auto industry. 

In 1998 that standard had a Rule No. 70 called — I 
don't remember the exact language. But function should 
cull themselves. And the rules basically are the same in 
2004 but they changed the numbering system, so in the 

2004 standard this rule, same rule is No. 16.2. So this 
is a violation of the MISRA C rule. 

Q. Does the violation of this rule related to 
unintended accelerations? 

A Yes . 

Q. In what way? 

A. The stack can overflow due to this recursion in the 

2005 Camry . 

Q. And create memory corruption? 

A. And that would create memory corruption, that's 
right . 

Q. What was NASA's view about this recursion? 

A So NASA's view, NASA was concerned about stack — 
possible stack overflow. They had a couple of pages 
devoted to it, about five pages. I pulled some quotes 
here. Recursion could exhaust the stack space leading to 
memory corruption and run time failures that may be 
difficult to test -- detect in testing. The question 
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then is how to verify that the indirect recursion present 
in the ETCS-I does in fact terminate and does not cause a 
stack overflow. 

And then the third one, the CVO in the ETCS-I does 
not have protective memory and therefore a stack overflow 
condition that cannot be detected precisely. Overflow 
would cause some form of memory corruption. And I should 
just stop there. 

When is NASA referring to protected memory here, 
they're not referring to EDAC, they are referring to 
something called run time stack monitoring, which is a 
technique that software developers use to make sure that 
-- it's like a flood marker on a river. When the river 
rises and gets to the flood mark, you know there is going 
to be trouble and you start activating. 

The same thing is a technique that is well-known and 
used for a long time by imbedded software developers, 
which is you make an area of the stack that you watch and 
you see if it gets corrupted. a common thing to do is 
write all ones to it, or some binary pattern, and you 
have a part of the software that is monitoring to see of 
the high watermark has been breached. And if it is, you 
know that you might get into dangerous uncertain 
territory, and so you can do a safe shutdown or reset the 
system to get past that . 
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Q. Is it the memory corruption that's talking here 
about that can cause an UA? 

A. That's correct. NASA didn't know that the memory 
just past the stack was the operating system, as far as I 
know . 

Q. Are we through with this? No. 

A. So NASA also says it's not clear what impact 
incursion has with respect to the larger UA problem. 

There are other sites of recursion that we haven't and 
analyzed . 

Q. So they just didn't look at it? 

A. They looked at some, they took Toyota's word on 
some, and they didn't analyze the rest. And NASA didn't 
ever know that there was so little safety margin. So 
Toyota's answer to NASA about incursion included that 
they had -- Toyota said they had added an extra margin of 
safety more than double the 41 percent. So Toyota's 
answer to NASA is, don't worry about it, we've added a 
margin of safety of more than double. But the truth is 
that margin is not there. And toyota itself didn't even 
realize this. 

Q. Let's go to the next slide. And we talked a little 
about the some of the things you found. What are some of 
the stack mistakes? 

A. So the first big mistake that Toyota made here, is 
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1 that — and this is why it's not 41 percent, it's 94 

2 percent. Is because Toyota didn't do a thorough 

3 analysis. When they did their own internal analysis of 

4 the stack to come up with the number 1,688 bytes, they 

5 missed a bunch of stuff. 

6 The one that accounts for the most extra bytes is 

7 the operating system itself. The operating system, every 

8 time it's switching from one task to another, it stores 

9 data on the stack, so you can't just add up the worse 

10 task themselves, because when they are running or all is 

11 have stuff on the stack, you also have all the operating 

12 system changeovers between them, as well as interrupt 

13 service routines. And Toyota missing that is the biggest 

14 factor in why it was 94 percent, not 41 percent. But 

15 they also missed about 350 functions. They had some 

16 mistakes in their attempt to automating the rest that we 

17 found as well. 

18 So actually the 94 percent is the most we found. 

19 It's possible that the stack could go beyond that as 

20 well. 

21 Q. Let's go to the next one. 

22 A. On top of that Toyota used dangerous recursion. So 

23 I showed some quotes from the NASA report. Here's 

24 another quote form the NASA report. It says, "Absence of 

25 recursion is standard in safety critical imbedded 
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1 systems." And I would agree with that. It is not 

2 appropriate to recursion. And MISRA and NASA and I and 

3 Dr. Koopman all agree on that. 

4 Q. But Toyota has it? 

5 A. Toyota has it in the 2005 Camry, that's correct. 

6 And finally, Toyota didn't perform run time stack 

7 monitoring. This, by the way, is in the cheaper 2005 

8 Corolla that was supplied to Toyota by an American 

9 supplier named Delphi, which is different than Denso, the 

10 Japanese supplier. So Denso is supplying 2005 Camrys and 

11 it doesn't do any run time stack check monitoring, but 

12 Delphi is supplying 2005 Corollas because at the time of 

13 partnership of the Corolla being manufactured with GM in 

14 California. Delphi supplies that and Delphi one, 

15 although it has many defects as well, the stack overflow 

16 is not a possibility in that particular design, as I 

17 understand if. 

18 Q. Okay. Next line? 

19 A. Toyota also failed to comply with a number of 

20 standards, including the standard for its own operating 

21 system. So it used an operating system that it got from 

22 its chip vendor NEC. They supplied the processor and 

23 they also supplied an operating system called RX OSEK 

24 350. The processor is the V850, this was an operating 

25 for that processor called RX OSEK 850. OSEK is a 
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reference to an international standard API, which is a 
programming interface. It's kind of a software term that 
means how you control the operating system. What the 
function names are and things like that. 

At any rate OSEK came out of the automotive industry 
in Europe and this was -- a market was created where 
multiple operating system suppliers could provide 
compatible operating systems. So that from the auto 
maker's point of view, they could switch from one to 
another and they would still be using a version of OSEK. 
And the idea being that those operating systems would 
then compete on quality, compete on the price, et cetera. 
And in order to make sure that the car maker's code would 
work on any one of these, there were a set of compliance 
tests set up to make sure it was truly an OSEK. 

And only operating systems, when you read the 
documentation, that have been tested are supposed to have 
OSEK, they are supposed to say OSEK is a trademark and 
that sort of thing, so they are supposed to be tested. 

We found that the one that Toyota used was not in 
compliance at all. And actually, at that time, by 2002 
there was a compliant OSEK available on the market for 
that very processor, but Toyota for reasons unknown to 
me, chose to go with one that was not certified as 
compliant . 
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1 Q. This particular operating system RX OSEK 850, is 

2 that also included in some of the other vehicles you 

3 looked at, like the Lexus ES, certain model years 

4 Toyota's V6 Camry? 

5 A. That's correct. 

6 Q. Let's go to the next slide. 

7 A. Toyota also failed to comply with standards, and 

8 here we heard from Dr. Koopman about a higher level 

9 concern about safety process. That's not what I'm 

10 referring to here. Here I'm talking about, for example, 

11 the MISRA C guidelines. 

12 Q. That is the smaller book, right? 

13 A That's the smaller book that is very specific on the 

14 C programming language. So the big book says you should 

15 use a documented subset of a language that is safer. And 

16 the little book is those -- that subset, those 

17 instructions. 

18 And by 2004 when they updated this, they wrote in 

19 the book that this was being widely adopted in multiple 

20 industries, they didn't expect it to be used outside of 

21 automotive, but they are very happy it was. And also 

22 that in 2004 when we were updating it, or prior to that, 

23 they had worked with the Japanese equivalent of what here 

24 we call the Society of Automotive Engineers, which has 

25 standards and has conferences for automotive engineers. 
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obviously. That is the Japanese Society of Automotive 
Engineers and the Japanese Automobile Manufacturers 
Association. They participated in the drafting of th 
second version of this. And indeed, one of Toyota's own 
employees was thanked in the contribution. 

Q. That was put out in 2004? 

A Well, the original standard was in 1998. 

Q. And are you talking about, does that relate to the 
original one, or the one that came out in 2004? 

A. Well, the 1998 one was the first version that MISRA, 
Motor Industry Reliability Association of the United 
Kingdom published, and then these comments from the 2004 
addition of that. 

Q. And in the review of what Toyota had done did NASA 
fine any violation of these codes 

A. Yeah, NASA found a number of violations of MISRA 
rules . 

Q. Did you find violations? 

A. Yes. NASA looked at about 35 of the rules. There's 
in total, I forget the exact number. It's basically the 
same set of rules in 1998 and 2004. But as I recall, 
it's over 100 rules total. NASA looked at 35 of them and 
they found over 7,000 violations, and they reported that 
on page 29. 

I checked the full set. There were a couple that 
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were difficult to test, but basically the full set and 
found more than 80,000 violations in the 2005 Camry. 

Q. There was also a discussion about compliance with 
MISRA rules that we heard from Mr. Ishii, I think he said 
something like maybe 50 percent of compliance of used 
MISRA rules. In your code review did you find that to be 
true? 

A . No . 

Q . Was did you find? 

A I actually wrote on whole report on Toyota's coding 
standard in one of my chapters, and what I found studying 
their coding standard was that actually -- the MISRA 
rules are over 100 rules and the Toyota rules — I have 
an appendix that lists them all -- I think it's about the 
same number, about 100, maybe 119, but only 11 of 
Toyota's coding standard rules overlap with the MISRA C 
rules. And interestingly, five of those rules are 
violated in Toyota's code. 

So when they say 50 percent overlap between the two, 
our rules and MISRA rules, no. 

Q. Do you know the percentage on how they actually 
match up? 

A. Just different ways of calculating the percentage. 

I couldn't make any come anywhere near 50 percent. They 
moistly shake out around 10 percent. 
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Q. Did you also review some work done by a Toyota 
employee names Mr. Kawana related to his development of 
how to look for bugs in software related to rule 
violation? 

A. Yes, I did. 

Q. Tell us about that. 

A. So there is a paper by Mr. Kawana that was presented 
in Detroit in 2002 and also a presentation that was made 
in San Diego in 2004. They both contained this bug 
chart, so I pulled that slide from the presentation in 
San Diego. And this is showing that in Mr. Kawana ' s 
view, and these slides are also bearing the Toyota logo, 
it's reasonable to estimate the number of bugs using the 
number of violations. And the standard he looks at — to 
for what's a violation is MISRA C. And this is the same 
Mr. Kawana who I see thanked in the MISRA 2004 documents, 
so he was clearly participating in the update of MISRA in 
some fashion, and around the same time he has presented 
this at an automotive industry conference that suggests, 
at least to me, not knowing otherwise, that Toyota is 
complying -- that Toyota's viewing MISRA C as a 
appropriate — the number of violations in MISRA C an 
appropriate way to estimate the number of bugs still in 
the code. It's called bug population estimation. People 
do the same thing with counting fish in a pond. You can 
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do things like count some and mark them and throw them 
back. There's different ways of doing estimation 
techniques of how many fish are in the pond. Here's a 
technique that industry can use to estimate how many bugs 
there are out there. But this is based on the 2002 paper 
on past Toyota projects. 

Q. This is Mr. Kawana ' s bug chart? 

A. That is Mr. Kawana ' s bug chart. 

Q. And on this bug chart they've got 30 rule 
violations. Does that indicate that you do have bugs? 

A. Yes. In his calculations, there's 30 rules 
violations, there will be one major bug and ten minor 
bugs . 

Q. There's also been testimony that -- and you heard 
part of it from Mr. Ishii that Toyota had its own 
internal coding standards? 

A. I did. 

Q. Have you reviewed some of those standards? 

A. Yes. 

Q. In your review of the source code, were you able to 
determine I some of those were violated? 

A. Yes. 

Q. Let's take a look at that? 

A. So Toyota maintained an internal set of coding 
rules. They may have had multiple coding rules, but this 
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coding rule was specifically for 32 bit processors, which 
is what's in the V8 50 main CPU, written in the C 
language for the power train. So it's referring to the 
ECM that I analyzed code for. 

And what I found is that, first of all, Mr. Ishii's 
statement that 50 percent of them overlap with MISRA is 
way off. I also found that at least about a third of 
Toyota's own coding rules are violated. So they weren't 
enforcing their own rules. 

Q. Would that have been the source code for the 2005 
Camry ? 

A. It was the source code for the 2005 Camry. And 
that's all documented in my chapter on the Toyota's 
coding standard. 

Q. All right. What's next? 

A. So, the whole point of having a coding standard, 
whether you choose to adopt MISRA or write your own is to 
follow it. What good is a rule that is not followed? 

And so it's actually the enforcement part of having the 
rule that's important. 

What I see is Toyota had a standard specifically for 
this system, they had various suppliers, including Denso 
contributing to this system, and themselves, but nobody 
was enforcing this standard at all. And that to me, 
based on my experience consulting in industry indicates a 
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lack of rigor or engineering discipline within Toyota. 

Q . What ' s next ? 

A. This is actually part of a larger pattern that I've 
seen through the documents that I reviewed, through the 
source code that I've reviewed, et cetera, which is that 
Toyota didn't do things that I would have expected them 
to do, and doesn't have documents and paper to prove that 
they did those things. I would expected them to produce, 
if their -- if my software was challenged, is there a bug 
in your code, I would expect to produce, here's the 
database of all the bugs that passed, found and fixed, 
who fixed it. That's how these bug databases work. How 
long it was known about before it was fixed, which ones 
we haven't found yet. You know, some of those might turn 
up later. They don't have that. There's testimony 
about that as well, that they don't have that. 

They also do inadequate peer code reviews. So you 
heard Mr. Ishii say we look at some of the code some of 
the time when we're interested in it, but they don't look 
at all the code all the time. And peer code reviews is 
something that's a known, good, cheap way to find bugs. 

I wrote the code or change it, you look at it. You look 
over my shoulder. Just like an editor would do on a 
document. That's all code review is. It can be formal 
and it should be formal in a safety critical system, so 
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1 there should be a paperwork trail that says on this date 

2 we met, reviewed this module, we found these three bugs 

3 or potential bugs, and we expect those to be fixed. And 

4 this paper trail will make sure that they get fixed. And 

5 that's how it should work. 

6 Q. Based on a lack of systematic processes you 

7 described, have you reached an opinion on whether this 

8 software is defective? 

9 A. Yes. 

10 Q. What's your opinion? 

11 A. In my opinion is that this code is a unreasonable 

12 quality and defective. 

13 Q. You mention down here there is no bug tracking 

14 system? 

15 A. That's what I talked about a database of all the 

16 bugs that have been found and fixed. It doesn't 

17 necessarily have to be a database, it could be a 

18 spreadsheet, but there should be some system in a company 

19 that's making safety critical vehicles that says, yeah, 

20 that odd behavior that was observed down in the lab 

21 yesterday, or on the track yesterday, let's assign some 

22 engineer to look into it, see what happened. Find the 

23 bug. Or if there's not a bug, explain it. 

24 Q. Does Toyota agree there's bugs in the software? 

25 A Yes. So I think this was in Mr. Ishii's testimony 
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1 yesterday. When it comes to software there are going to 

2 be bugs . 

3 Jumping to the end, so the issue is not whether or 

4 not there is a bug, but rather is the bug an important 

5 material bug. And indeed, there are not only bugs but 

6 there are also important material bugs in Toyota's code. 

7 Q. Based on what you heard from Mr. Ishii has Toyota 

8 ever checked to see if a bug would stick the throttle 

9 open? 

10 A. Mr. Ishii said he's never looked for one and he's 

11 not aware of one. 

12 Q. Did NASA have concerns about software causing UA's 

13 in Toyota's throttle? 

14 A. Yes. 

15 Q. And did they look at it? 

16 A. So this chart shows a bit of the methodology that 

17 was used by NASA. So, this is what's called a fishbone 

18 diagram. And so the idea is that, is there a way -- this 

19 is asking a question -- is there a way that unintended 

20 acceleration can be caused by a software error. And then 

21 they are enumerating through branching the possible ways 

22 that could happen. 

23 And so, for example, there could be a bug in the 

24 throttle algorithm, and that would be an example of a 

25 coding defect or error in the recipe. That if happened 
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and it related to US, could cause UA, and then NASA broke 
out other things, other things that could happen. For 
example, they talk about task interference or race 
conditions, and they talk about not having protections 
against faults like bit flips. And then the trace back, 
well, what would cause that bit flips, data corruption, 
communication faults, timing faults, et cetera. 

And the idea is that if one of these root conditions 
can occur and is not blocked by something upstream, then 
it's a possible cause of UA. 

Q. This document we're looking at, this diagram, is 
this one you created? 

A. No, that's -- it's from NASA Appendix B pages 36 to 
39, is that part of the analysis. I included multiple 
pages because there they describe their thinking and 
rationale on each of those sub bullets. 

Q. So NASA was looking for the exact same thing you 
were looking for? 

A. That's correct . 

Q. Go ahead? 

A. And these are examples of things we found. So 
putting it in NASA's terminology, and NASA's chart, the 
defects I've described fit into these coding defects, 
task interference, insufficient fault protection, data 
corruption paths. 
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1 Q. And in terms of the memory corruption we've been 

2 talking about, does it fall into these categories? 

3 A. Yes. So specifically memory corruption over here, 

4 combined with insufficient protection against memory 

5 corruption, can lead to a UA. 

6 Q. All right. There will be some discussion by Toyota 

7 in this case about layers of safety and safety items -- 

8 fail safes they put in their system to catch what we all 

9 term as UA, is that right? 

10 A. That's correct. 

11 Q. Have you examined some of those areas to explain 

12 where there may be a the gaps you talked about earlier? 

13 A. Right. So the important thing from a safety point 

14 of view is not, we have 12 fail safes, or we have four 

15 fail safe layers, it's are there any gaps in them. 

16 And so these are the layers as I see them and 

17 understand them from Toyota's documents and reports. And 

18 for each of them, each of these layers I wrote a specific 

19 chapter where I analyzed that part of the system, 

20 documented what I found, documented if there were any 

21 defects in the fail-safe or layer, and also if there were 

22 any holes that could allow something to get through these 

23 layers. 

24 Q. So now we're going to look at each one of these 

25 layers and have you explain the defects? 
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A. Yep. 

MR. BAKER: Your Honor, I don't know when you 

want to do an afternoon break? 

THE COURT: Let's go till three. 

Q. (BY. MR. BAKER) Let's go to the next slide? 

A. So I've sort of put these in order. So layer one is 

first . 

Q. Mirroring of critical variables. Tell me what 
mirroring means? 

A. So mirroring is like having two cells that have the 
same value sort of in your spreadsheet. Technically, if 
you just have exactly the same value, I would refer that 
as echoing, with -- you have an echoed copy. Mirroring 
is slightly stronger than that, and Toyota generally uses 
mirroring, which is, mirroring is you also flip all the 
bits. So you have two copies of the thing, but if they 
were next to each other and they both clobbered to zero, 
they wouldn't match, because one of them being zero 
should make the other one be all ones. So it's an extra 
layer of protection. 

And so the best protection for mirroring is keep 
them apart in memory, do something like flip all the bits 
in one versus the other. So that when you write to it, 
you write both. And when you read from it, you read 
both. And if they don't match when you read it, then you 
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1 know that something has gone wrong and you can't trust 

2 that value. 

3 Now, depending on how important that value is, it 

4 could be that you just use a default value and continue 

5 on. Or it could be a very important value like the 

6 throttle command, 10 degrees or 100 degrees -- or 100 

7 percent, and in that case then you might do something 

8 different than just use a default value. 

9 Q. So this is a technique that Toyota engineers have 

10 used? 

11 A. Yes. 

12 Q. Did they use it correctly? 

13 A. Toyota used mirroring to protect thousands of 

14 variables. And they did it generally correctly. I'm not 

15 going to speak for all thousands of them. But they did 

16 it generally correctly with respect to those. The defect 

17 is, they missed some of the critical variables. 

18 Q. Tell me about those variables? 

19 A. So one example we've already talked about is the 

20 internal data structures within the operating system. 

21 They missed it because they never looked at the operating 

22 system. They got this operating system in binary from 

23 their chip supplier and they never looked inside it to 

24 see what was in there. 

25 Now, if you're designing a FDA regulated medical 
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product, there are guidelines and you are instructed if 
you're building this insulin pump or pacemaker and you 
decide to use an operating system or other third party 
software, you need to audit that as well. Toyota didn't 
do that here. And that is one of the reasons I believe 
that they missed mirroring within the operating system. 

Q. What about the target throttle angle global 
variables ? 

A. Yeah, there is a number of other variable that 
aren't mirrored, but the one that is really interesting 
from this point of view, from our discussion is that the 
target throttle angle, the one that says 10 degrees or 10 
percent or 100 percent, 10 percent or 100 percent power, 
so not mirrored. 

Q. So there's not -- there is nothing that's got that 
data stored like — it wouldn't be mirrored? 

A. There's no second copy of it. Not echoed, either. 

Q. So if the first copy is corrupted, it's corrupted? 

A It's the only copy. 

Q. And why it that important? 

A Well, it's important because if you -- if a software 
corrupts and changes that throttle command, the rest of 
the software just sees a number in a particular cell in a 
spreadsheet. It doesn't distinguish or know that it's 
not a command from the driver or a correct calculation of 
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1 what the driver wants and what the engine wants, not to 

2 stall, all those things. So if it suddenly changes from 

3 10 percent to 20 percent, is that coming from the driver 

4 pressing on the pedal or is that coming from the software 

5 changing it? 

6 Q. Have you got an example? 

7 A. Yeah. Let me walk you through the process here. so 

8 the way their design works is that you have the 

9 accelerator pedal, which is being read by task X, and 

10 then it writes the calculated value, that very complex, 

11 code complexity of 146 unmaintainable function, it 

12 chooses a value. I put here as an example 20 percent of 

13 throttle. And then it writes it into a memory location. 

14 a 16 bit or two byte memory location. 

15 Q. An unmirrored bit? 

16 A. That's correct. It's an unmirrored 16 bit location. 

17 Q. All right. 

18 A. And then the next thing that happens is another part 

19 of the software comes along and reads it and it says, oh, 

20 it says 20 degrees, 20 percent. And so its job is to 

21 open the throttle to 20 percent. And that's actually 

22 kind of complicated because you're trying to move 

23 something mechanical and the software to trying to do it, 

24 so you're pushing on electrons, and the electrons are 

25 pushing on the motor and the motor is opening to the 


THIS TRANSCRIPT IS NOT PROOFREAD 



58 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 


right amount . 

Q. So how can you have a UA from memory -- 
A. So, for example, if task X died and stopped writing 
to that location, and the unmirrored throttle command was 
set to a larger opening, the other part of the software 
is just going to pick up the new value and open the 
throttle . 

Q. Whether that is a correct value from the 
accelerator? 

A. Whether that's a correct value from the accelerator 
or not. 

Q. Go to the next line? 

A. So this says in words what I just said, which is 
that the death at task X causes the loss of throttle 
control, accelerator pedal doesn't work, cruise control 
doesn't work. 

Q. What else? 

A. This motor control task, and it's not just one task 
it's more complicated than that, I'm just simplifying it 
here for my explanation, but that motor control task 
keeps driving the motor -- and by motor here, I mean the 
motor that moves the throttle, it's the part that turns 
the knob on the water valve. And so, either if task X is 
dead, you can get a stuck throttle, which is the last 
calculated command, or the last computed one over here. 
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1 or it can change it to a corrupt value through an 

2 additional memory corruption. 

3 Q. So if you have a memory corruption of the throttle 

4 angle variable that you just showed in your last slide 

5 and then have a task death, what can happen with the 

6 number that is sent to the computer to turn the throttle 

7 to? 

8 A. Well, then it can become any number between zero 

9 percent and 100 percent. 

10 Q. Is there any cap on the actual amount? 

11 A. Well, the throttle physically, technically it opens 

12 between degrees and degrees. Whereas 90 degrees 

13 basically would represent no blockage of air flow. And 

14 so degrees is slightly less than 100 percent. You can 

15 never really get 100 percent. And even when you close 

16 the throttle, you're usually not blocking all the air 

17 flow or else the engine would stall. So you're somewhere 

18 between about six degrees and maybe sometimes lower when 

19 you're idling, and about 95 percent of what you can get. 

20 Q. Does the task death of X in that scenario involving 

21 the throttle angle variable have to occur first or after 

22 the memory corruption of the throttle angle variable? 

23 A. If they are close in time, the two memory 

24 corruptions are close in time, it could be an either/or. 

25 If task X was dead for a while though and then the second 
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1 memory corruption happened some time later, then it could 

2 also happen that way. 

3 So if the two corruptions happen close in time, 

4 which is likely when you have memory corruption, often 

5 it's not just a single -- when it's a software bug or 

6 even hardware bit flip, it can be ricochet and bounce 

7 around like a bullet inside, and so it can cause 

8 multiple memory locations to be damaged. And so that can 

9 begin small and grow over time. And so, if they both 

10 happen right about the same time, it could be that the 

11 throttle command is corrupted first and then the task 

12 dies. But there's more time opportunity the other way. 

13 Q. Can the throttle angle variable be corrupted through 

14 a hardware malfunction and a software malfunction? 

15 A. It could be -- by itself, it could be corrupted by 

16 either one, that's correct . 

17 Q. What's next on this slide please? 

18 A. So this is just memory corruption can propagate from 

19 one to another. You can think of it as shotgun pellets 

20 bouncing around inside the memory, flipping some bits or 

21 changing whole bytes -- 

22 Q. And in this scenario, can the throttle angle go to 

23 any number? 

24 A. Yes. 

25 Q. All right. And have you done a diagram to kind of 
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1 explain this? 

2 A. Right. So I put the previous graph together and I 

3 said, okay, on the left side we still have task X but 

4 it ' s no longer monitoring the accelerator or the driver 

5 controls, because it's dead and its death has not been 

6 detected. And then now I drew a vertical bar or a line 

7 showing that it's no longer ever writing to this global 

8 variable that's not mirrored. And so a memory corruption 

9 there changes it from, say, 20 percent of throttle to 50 

10 percent of throttle. 

11 Q. Are you just using that as an example for your chart 

12 here? 

13 A. Purely illustrative. 

14 Q. What happens next? 

15 A. And then the motor control task not knowing that 

16 task X is dead, interprets this command as 50 percent as 

17 coming from the accelerator through task X, or from the 

18 cruise control through task X, or something else through 

19 task X. 

20 And so now, it's just going to drive the throttle to 

21 50 percent open, and you're going to get more engine 

22 power. 

23 Q. In this example, do we have a task death? 

24 A. Yes. 

25 Q. Do we have a memory corruption? 
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A. Yes. 

Q. We have the computer setting the throttle at some 
angle, 50 percent here in your example? 

A Correct . 

Q. Is that 50 percent in this example set by a 
malfunction in the software? 

A. Yes. 

Q. Is it unrelated to where the driver in your example 
is moving the pedal? 

A. That's correct. So there's a disconnect now between 
that vertical line between the accelerator and what the 
throttle is doing over there in the engine. 

Q. Well, we just talked about failsafes. What happened 
to the failsafes? 

A Well, the failsafes are the monitoring -- that are 
left, are monitoring this portion over here and saying 
the throttle's open halfway in voltage, electrical terms, 
and the command is for it to be open halfway. Those 
failsafes don't know that task X is dead because they 
haven't detected it, and task X has taken some of the 
failsafes down with it that would have known about the 
driver's intent. 

Q. Are some of those failsafes or the activation of 
those failsafes task X? 

A. Yes, most of the failsafes on the main CPU are in 


THIS TRANSCRIPT IS NOT PROOFREAD 



63 


1 task X. 

2 Q. So when it dies, what happens to the failsafes? 

3 A. When it dies, they don't run and so the failsafes 

4 don't run. 

5 Q. All right. And we talked earlier about a situation 

6 where something like this would happen and then somebody 

7 would step on the brake? 

8 A. Correct. 

9 Q. What would happen then? 

10 A. So if somebody steps on the brake here in this 

11 scenario? 

12 Q. Yes, sir. 

13 A. If they weren't on the brake initially, and they 

14 step on the brake after this begins, then there is a 

15 failsafe in the monitor CPU that will inadvertently 

16 detect a symptom of the task X death. That failsafe is 

17 called the brake echo check. We'll talk more about it in 

18 a couple of slides. But the brake echo check will detect 

19 the driver pressing the pedal if they press the pedal and 

20 hold it at least about of a second, and then it 

21 will cause the throttle to close, and seconds later 

22 it will cause the engine to stall. 

23 So if you have speed on the highway, the engine will 

24 stall. 

25 Q. If a person has their foot on the brake when this 
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1 scenario in this example occurs, what would happen then? 

2 A. In that event, in order for that brake echo that is 

3 inadvertently detecting this task X death to do anything, 

4 the driver would have to remove their foot entirely from 

5 the brake pedal. So while the car is speeding away from 

6 them, and as they are letting up mechanical pressure and 

7 maybe pumping or maybe -- I don't know, it's 

8 counterintuitive to let off the brake when that happens, 

9 but the car is going to speed up first because you are 

10 mechanically letting go of the brake pressure that you 

11 have, and then, because each time you pump you have 

12 something called vacuum loss, which causes the air that 

13 is flowing through the engine, because the valve so open 

14 for the throttle, that air is getting sucked into the 

15 combustion process and not going into the power brakes. 

16 So you actually lose brake effectiveness while this is 

17 happening if you start it on the brake. And it will go 

18 on until, can go on forever. 

19 Q. If we have this example and starts with the driver 

20 has their foot on the brake and they never let off the 

21 brake, they are trying to get it to stop, how long would 

22 this last? 

23 A Mr. Arora, Toyota's expert, says it depends on how 

24 much fuel you have. 

25 Q. All right. Have we covered this slide? 
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A. Yes, I think so. 

Q. Let's go to the second layer of safety that we 
talked about the DTCs and other failsafe modes? 

A. So NASA in its report talked about the failsafes 
that Toyota described to it. And they were five 
failsafes on the main CPU that NASA discussed and these 
are called the limp home modes, the idle mode fuel cut 
and engine off. And just briefly, the limp home modes, 
some of you may experienced this in a car before, that if 
your car's engine is malfunctioning, it will allow you 
enough power to drive, to limp to the dealer or repair 
facility, but not enough power to go out on the highway. 
And that is a safety mode. 

And Toyota has three different ones. And it depends 
-- there's two gas pedal sensors, accelerator pedal 
sensors, if it mistrusts one of them, it might allow the 
throttle to be open 10 degrees or 1- percent, if 
mistrusts both of them, then it will only allow the 
throttle to be open a smaller angle. So there's three 
different angles. As I recall, they range from | degrees 
or degrees to or degrees 

There's also something called idle mode fuel cut, 
which is that when your car is idling the rpm will never 
go above 2599. Just like when you're driving on a road, 
no matter how much gas you give it, the rpm will never go 
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1 above 6400. When you're just sitting there at a stop 

2 sign it will never go above 2500. Now, 2500 rpm, 

3 especially depending on the gear you're in can be a lot 

4 of power in a car, but that is a limit that is built into 

5 the software that NASA describes as a failsafe mode. 

6 Q. Where are these failsafes located? 

7 A All of them either are located entirely within or 

8 depend upon task X. So when task X is not running none 

9 of these are relevant to the discussion of UA. 

10 Q. And part of your heading has got DTC, the diagnostic 

11 trouble code. What is significant about them in terms of 

12 task X? 

13 A. So the DTCs , as I've mentioned, is something that is 

14 stored in the computer that says something went wrong. 

15 And so when this happens, there is not going to be any 

16 DTCs stored, but I don't want to rule out all of them 

17 because there is another task that does a few. But 

18 generally speaking most of the DTCs are going to be 

19 disabled during this scenario. 

20 So if you were to reboot the car and read the 

21 computer you may find no codes as though nothing was 

22 wrong, and now because you've rebooted it, all the £|| 

23 tasks are alive and the car is running normally again. 

24 Q. The diagnostic trouble codes that can be set when 

25 something is wrong with the car, if they are set and 
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1 stored, are they stored forever? 

2 A. No, they are not. 

3 Q. If the vehicle loses battery power, what would 

4 happen to the codes that had been set? 

5 A. The DTC codes are stored in an area of memory called 

6 battery backed ram. Most of the time when you reboot a 

7 computer, the ram, working memory, is emptied out or 

8 become nonsense. But battery backed ram, because it's 

9 getting a trickle of current all the time can maintain 

10 its contents. But it only maintain them while the 

11 battery is applied. So if you parked the car after the 

12 incident and the battery drained, then you would lose all 

13 the information. Or if during the accident there was a 

14 disruption of power supply, then you would lose those 

15 codes that might have been set. 

16 Q. So for example -- 

17 A. And that's true regardless of task X death or 

18 anything else. That's just how the system works. 

19 Q. That is how Toyota's system works? 

20 A. That's right. 

21 Q. So if Ms. Bookout ' s car before it was inspected by 

22 anybody lost battery power, would any DTCs if they were 

23 set, still be in the car? 

24 A. If the battery had been disconnected there would not 

25 be DTCs to recover because they would have disappeared 
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1 from memory. 

2 Q. All right. Let's go to the next slide. The third 

3 layer your title watchdog supervisor. Can you explain 

4 this one to us? 

5 A. This one is going to take some explanation. So if 

6 you ever had a computer crash like your iPhone or your 

7 Android or whatever, and you were there to reboot it. 

8 It's not working and you reboot it. But some computers 

9 are in situations where there is nobody there to poke the 

10 button. So for example, when NASA sends a mission to 

11 mars. Mars Pathfinder is a good example in 1997. The 

12 first color images come back from the surface of Mars. 

13 The sent it there, they include in the design something 

14 called a watchdog. So the idea is that the hardware will 

15 wake up or reset the system if there is a software crash. 

16 And this actually turned out to save the day in the Mars 

17 Pathfinder mission because when that ship arrived on the 

18 surface it was able to beam back photographs and other 

19 things, and the following weeks when NASA engineers were 

20 doing their science on a surface, they had actually a 

21 number of watchdog resets. If the watchdog had not been 

22 there to save the day, then they wouldn't have gotten the 

23 computer to phone home again so they could fix it. 

24 In your car, the watchdog is there to -- if 

25 something goes wrong with the software, it should be 
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there to reboot the system very quickly so that you can 
get back to a safe running car. And Toyota does have 
something, they have a watchdog timer chip and they have 
something they call the supervisor. I call it the 
watchdog supervisor in my report. And that the job of 
that software, that part of the software is to 
periodically check in with this watchdog timer hardware, 
WDT , and if the software doesn't check in, then the 
hardware resets automatically the processor. 

Q. Is that what it's supposed to do? 

A. That's what it's supposed to do. 

Q. In the example you just gave, if we have a task that 
dies, say task X, and it doesn't report in to the 
watchdog, what's supposed to happen? 

A. Well, ordinarily when you have one of these watchdog 
supervisors, the software to kick the dog, kick the 
timer, you're supposed to monitor all the software for 
its health. And that's been well-known for a long time. 
And certainly, when I was editor in chief of the 
magazine, that was wellO-known and we published articles 
about how to do good watchdog timer design. That would 
have been in the 2001 to 2003 time frame. 

When there are multiple task because you have an 
operating system, it's necessary to check that they are 
all working. You can't just say, well, I, the supervisor 


THIS TRANSCRIPT IS NOT PROOFREAD 



70 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 


in here, I"m happy, don't reset us. You have to check on 
all of them. That is how it should work. Unfortunately, 
that's not how toyota's design works. 

Q. What is the problem with theirs? 

A. The Toyota's design actually they have an abysmal 
design, not just unreasonable in my view, but I use the 
word abysmal. This was actually the first chapter of my 
report I wrote because I couldn't believe what I was 
seeing . 

Toyota has a watchdog supervisor design that is 
incapable of ever detecting the death of a major task. 
That's its whole job. It doesn't do it. It's not 
designed to do it. 

It also, the thing it does in Toyota's design is 
lookout for CPU overload, and it doesn't even do that 
right. CPU overload is when there's too much work in a 
burst, a period of time to do all the tasks. If that 
happens for too long, the car can become dangerous 
because tasks not getting to use the CPU is like 
temporarily tasks dying. 

And in Toyota's watchdog you can have any overload 
going up to one and a half seconds, which at 60 miles an 
hour I calculated is about the length of a foot ball 
field, you have any vehicle malfunction for up to a foot 
ball field in length that's explained only because this 
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watchdog design it bad, and because the processor is 
overloaded momentarily. And that should have been also a 
job of that watchdog supervisor. And that is one they 
tried to implement and they don't do it well. 

They also made a classic blunder, one that's taught 
by professor like at Dr. Koopman to first year students 
in his imbedded systems class, which is, you don't 
dedicate a hardware timer on the main CPU to periodically 
kick the hardware on the watchdog, because that will keep 
functioning even though vast portions of the software and 
the tasks are not rubbing because these interrupts are a 
higher priority than the tasks. 

And so, that is a design that you -- and I have 
spoken about that at many conferences, not doing it that 
way. And they do that. 

They also, in order to not detect a death of tasks, 
the operating system is sometimes telling them, hey, the 
task isn't working right. And they have lines of code in 
there to throw that information away. They are ignoring 
error codes from the operating system telling them 
there's a problem with this task. And that, by ignoring 
those errors codes, is a violation of another MISRA rule. 
No. 86 in the 1998 version. 

Q. So if a task death occurs and that information is 
ignored, it would violate this MISRA rule? 
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1 A. That's correct. 

2 Q. And could that have an impact on causing a UA? 

3 A. Yes. 

4 Q. Are there ways to do it differently? 

5 A. There are. Reasonable alternatives to this were 

6 well known long before this car was designed. In fact, 

7 in the 2005 model year Prius, they have — in a Prius you 

8 have two engines. You have a combustion engine and you 

9 have a battery engine. The Prius combustion engine looks 

10 a lot like the Camry combustion engine code, but they had 

11 a fresh new design for the hybrid battery computer. And 

12 guess what? It has a good watchdog. It's a better 

13 design in there. It monitors the health of every task, 

14 and it monitors both for executing it too frequently, and 

15 for not executing frequently enough. 

16 The primary purpose of this part of the software 

17 should have been to detect task death. Toyota didn't do 

18 that. In my view, based on all the evidence I've seen, 

19 because the CPU was overloaded at times, and the watchdog 

20 was weakened to allow that. 

21 Q. So based on your information from the Prius, did 

22 Toyota know how to do it right? 

23 A. Absolutely. 

24 Q. Let's go to the next slide. Layer four, this is our 

25 last layer of safety that you're going to talk about from 
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1 Toyota's perspective. 

2 A. Let me just back up. You asked me did Toyota know 

3 about it. And i don't know for a fact whether the 

4 engineers would have at Denso or Toyota. 

5 Q. Fair enough. Thank you. Is this our last layer of 

6 safety that was in your original slide? 

7 A. Yes, this is the fourth layer. 

8 Q. The ESPB-2 monitor CPU. I think they've heard a lot 

9 about this, but that's the smaller chip that you showed 

10 them in the picture of the overall board, correct? 

11 A. That's correct. 

12 Q. Tell us about this. 

13 A. So there are some failsafes in the monitor CPU for 

14 various purposes, and I examined those. And on this 

15 slide I'm summarizing the relevant ones with respect to 

16 what happens when there's task death and UA. 

17 One set of them is what's called system guards. And 

18 there is these three different system guards, one on the 

19 main processor, one on the monitor processor, and one 

20 that straddles the two of them. 

21 And in theory they are specifically designed to look 

22 out for UA. But in practice, when task X is dead, they 

23 are either dead or they don't have any knowledge of the 

24 driver's intent. And so they are not operating at that 

25 time. 
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1 

Q. And the brake echo check, you mentioned this a 

2 

couple of time earlier, correct? 

3 

A. Yes, so the brake echo check has turned out to be an 

4 

interesting aspect of the monitor CPU, because it does 

5 

sometimes detect the death of task X after there has been 

6 

a UA in our testing. So in the testing where unintended 

7 

acceleration by task death was observed, sometimes when 

8 

the brake switch was transitioned, either the driver 

9 

first pressed on the brake or the driver released the 

10 

brake because they had been on it, this brake echo check 

11 

detects that symptom of task X death, however this is not 

12 

an appropriately designed failsafe because, first of all. 

13 

it waits for the driver to have act first. 

14 

So, and also if the driver's action when the car is 

15 

misbehaving, is to say it's going slower than I want, let 

16 

me step on the gas pedal, this does nothing. So the 

17 

driver has to act first and the driver has to change the 

18 

state of the brake pedal, which in some cases could mean 

19 

doing something very counterintuitive, which is taking 

20 

the foot off the brake during an emergency event. 

21 

Clearly, that is not by design of Toyota's 

22 

engineers, despite what we heard from Toyota's expert Mr. 

23 

Arora . 

24 

In addition, it takes the wrong action. When this 

25 

brake echo check that inadvertently detects task death 
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1 does act after the driver, after the UA, it doesn't reset 

2 the ECM to restore the system to normal function. It 

3 stalls the car wherever you are. It first cuts the 

4 throttle, which slows the car, and then 

5 later it stalls the car completely, which could also 

6 contribute to harm. 

7 Q. You understand there's been no evidence in this that 

8 Ms. Bookout ' s vehicle stalled prior to the crash? 

9 A. I do. 

10 Q. And we've got one more line? 

11 A. Just simply from my analysis of the source code, 

12 there are several reasons. I put them in my report my 

13 this brake echo check is also nonreliable. 

14 Q. And why is that? 

15 A. There is some reasons why it's not — it's not 

16 designed to be 100 percent reliable. There are several 

17 reasons, I'd have to look at my report to refresh my 

18 memory. 

19 Q. Do we have another line up here? 

20 A. And finally, nothing in the monitor CPU detects all 

21 main CPU malfunctions. There is not, for example, a 

22 watchdog supervisor like function that looks out for task 

23 death, or looks out for UA. These are the relevant ones. 

24 Q. How do you know that? 

25 A. Because I've viewed the source code, because in the 


THIS TRANSCRIPT IS NOT PROOFREAD 



76 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 


testing of nothing else is active. 

Q. Okay. This particular part, this monitor CPU, have 
you seen any evidence that Toyota actually did a design 
check or design review on the software or source code in 
the monitor CPU? 

A. I have not. 

Q. Do you have a slide on that? 

A. So Toyota didn't look at this monitor CPU. The end 
final failsafe, the second CPU, they didn't look at it. 

As -- this was, I think from Mr. Ishii's deposition on 
Friday, when it comes to the source code for the monitor 
CPU, we, Toyota don't receive them, there would not be a 
design review done on that software. And the attorney 
asked, that ' s the one with the monitoring software for 
the electronic throttle control system, correct? And Mr. 
Ishii said yes. 

Q. And you were here to hear that testimony when it was 
played? 

A. I was. And I've read it before. 

Q. Was the next slide please? 

A I just want to repeat that, because I think that is 
an important point. 

Q. Why do you think it's important? 

A. Well, Toyota has made public statements that 
couldn't possibly be a software cause for UA. I've 
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reviewed documents where toyota's own investigative teams 
to end UA complaints don't include anyone for software on 
the team. They look floor mats, they look at pedals, 
they look at confused drivers, but they've never really 
sought the source code to actually look and see like, 
hey, this second chip, does it really do what we think it 
does . 

Q. And is it this chip, the monitor chip, you've seen 
the source code? 

A. I have. And NASA actually has not. NASA was not 
provided with it. I think we heard Mr. Ishii say maybe 
they didn't ask for it. 

Q. And the source code for this chip that was produced 
late? 

A. Yes, this is the source code that was produced about 
three weeks before my report was due in Van Alfen. And 
this, by the way, a exactly the same chip and software 
from 2005 to 2009 in the Camry, and some other models as 
well, but that is irrelevant to this discussion. 

Q. Is it the same in the -- 

A. I don't recall as I sot here. 

Q. Why do you say the monitor CPU is the last a line? 

A. Because there's nothing else beyond the monitor CPU. 
So if the main CPU is malfunctioning and its own 
failsafes are either disabled or not doing anything, the 
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1 monitor CPU knows that the driver is pressing on the 

2 brake, the monitor CPU knows the percentage open of the 

3 throttle, the monitor CPU knows how long those things 

4 those have been happening at the same time. So, for 

5 example, if the driver has been braking for half a second 

6 and the throttle is still at 50 percent, surely that 

7 suggests there is some sort of problem going on in the 

8 vehicle. Potentially, the main CPU is malfunctioned. 

9 And this chip had in it everything it needed when it 

10 was designed about 2002 to have paid attention to those 

11 two things. It had all the electrical signals coming in, 

12 all electrical signals going out, it had adequate memory, 

13 it had adequate CPU time to do this. Small check. And 

14 it could have -- if it was a software malfunction, a 

15 reset of the ECM would cure it. Now, if it was something 

16 like an entrapped pedal, resetting again is obviously not 

17 going to fix that, and so maybe a second action should be 

18 something different. 

19 But as a first step, as a first action, they could 

20 have included software like this. And this is extremely 

21 important. Toyota designed a vehicle that has a braking 

22 system where the power brakes are connected mechanically 

23 through air flow to the throttle. When the throttle's 

24 wide open, the air is largely flowing into the combustion 

25 process, because ' s is a vacuum there sucking it in. And 
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it's — and the brake can become depleted so you don't 
have assistance from the brake. You're losing pressure 
when you pump. 

And Toyota must have understood that. There is a 
mechanical linkage between the throttle and the brake. 
And maybe in a mechanical throttle system it was always 
the case that the driver let off and closed the throttle, 
so that wasn't a problem. But when they put software in 
charge, they should have taken notice of this and cared 
tremendously of the fact that the software was 
responsible for all three elements of combustion. And 
they could have acted back in that time in 2002 
approximately when they were designing ESP-B2 chip, they 
could have acted to stop any UA, no matter how many bugs 
were in the CPU. 

Q. If they already had that chip would it have cost 
them anything to make that software change? 

A. I mean, it would have cost some engineering time to 
do this and testing time. But in terms of a per unit 
cost per car, it's the same chip, same amount of memory, 
same processor, a couple hundred line of assembly code. 

Q. All right. We've gone through several things. 

Let's talk briefly about the software process of Toyota. 
Have you evaluated that? 

A. I have, yes, sir. 
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1 Q. What did you determine based on that? 

2 A. There is a number of defects, and some apparent 

3 explanations for those defects. So one defect is that 

4 there are single points of failure and the -- what they 

5 call the failure modes and effects analysis that Dr. 

6 Koopman talked about and I think he showed on one of his 

7 slides some examples of Toyota's documents, where they 

8 think of things that might go wrong and then they decide 

9 if and how they are going to mitigate them. 

10 They missed stuff when they did that. And that it's 

11 my opinion that's because they didn't a formal safety 

12 process like the MIRSA, the big book. They don't follow 

13 a recipe for making a safe system. 

14 They also have the defect that they didn't do peer 

15 reviews on the operating system code or the monitor CPU 

16 codes. And here, ultimately, it comes down to resources. 

17 Toyota did not put people and time behind checking up on 

18 the suppliers who were supplying this critical software. 

19 The operating system at the heart of this main CPU and 

20 this and second CPU that's doing the monitoring. 

21 Q. What about the watchdog? 

22 A. Well, the watchdog, I haven't seen any evidence that 

23 they peer reviewed it. But that design has stayed almost 

24 identical through the model years that I've seen on the 

25 main combustion engine. 
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Q. Did the watchdog supervise the task death? 

A. Not reliably, not most tasks. 

Q. What else? 

A. The -- another defect in their process is that they 
didn't follow their own coding standard. Now, in my 
coding standard chapter, I assess my opinion of their 
coding standard. I've studied coding standards, I've 
written a coding standard book, I'm familiar MISRA, and I 
assessed that many of the rules that they have are 
simply, like this how should name your variables, they 
did not have very many rules that would have kept bugs 
out. And in fact, some of their rules actually would 
have increased, related to race conditions, would have 
increased the likelihood of bugs in their code, 
particularly over time. 

And they didn't even follow this lousy coding 
standard that they had. They didn't put people, again, 
to make sure that their suppliers -- and not all this 
code was written at Denso. The code on the main CPU was 
partly coded from Toyota, partly coded from Denso. And 
when they is a different supplier like Delphi that GM 
supplier, they give the Toyota part of the code to Delphi 
and then Del Phi adds the Del Phi part of the code, so 
it's a mix of Toyota code and supplier code. And they 
didn't enforce the coding rules, apparently on either 
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one . 

Q . What ' s next ? 

A. Nedt is that the watchdog supervisor doesn't detect 
most task deaths. As I explained, it's my view that the 
reason for this is that the CPU was overloaded from time 
to time. In other words, it cost them less to water down 
the watchdog than to upgrade the CPU to a fast enough 
CPU. 

Dr. Koopman talked about something, called rate 
monotonic analysis. It's in my report too. That's 
something that Toyota's engineers should have done to 
make sure that all of those tasks would always complete 
on time and there would never be CPU overload. But they 
didn't. And there are specific places in the code where 
they say, oh, that test didn't finish yet? Okay. We'll 
wait for it next time, maybe it will run next time, 
because the CPU is overloaded. 

And there are also indications that different model 
years of different cars they are moving around 
functionality, like the automatic transmission, is in 
another processor on the same board, or on another board. 
And because early on they are trying to do all this stuff 
with older processor technology, and then in the 2005 
Camry design they combined them together into one. 

And they keep switching these things around, which 
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1 is an indication to me that they can't do it all in that 

2 one processor. And that, the poor watchdog design, a 

3 number of other things that I've documents in my report. 

4 Q. And then lastly talk EDAC . 

5 A. Right. So those extra hardware protections bits, 

6 the EDAC that NASA calls it, the parody that Dr. Koopman 

7 talked about, those cost money. And it's actually 

8 somewhat straightforward to calculated, because if you 

9 have eight bits you want to protect, to do it right you 

10 need five more bits. And so you're taking something that 

11 was eight and making it 13. And a lot of the cost in 

12 that is related to the size of the chip, and that's tied 

13 directly to the number of bits. So you're increasing the 

14 area of the chip making a bigger processor in order to do 

15 that. And Toyota chose not to do that in the 2005 Camry. 

16 They had by the 2008 Camry added not the five bit version 

17 but a cheaper version, I believe it was a three bit 

18 version. 

19 Q. In terms of EDAC, is Toyota tell NASA that the; 05 

20 had it? 

21 A. Not only did NASA write in its report that they had 

22 it, but I've seen the email where NASA asked if they had 

23 it and Toyota responded that they did. 

24 MR. BIBB: Objection, Your Honor, hearsay. 

25 THE COURT: Overruled. 
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1 THE WITNESS: That's in my report, by the way. 

2 What was I talking about? 

3 Q. (BY. MR. BAKER) You've seen an email where Toyota 

4 actually told NASA they had EDAC on the '05? 

5 A. Right. So it's clear that NASA didn't just make 

6 this up out of thin air, Toyota told it to them in an 

7 email. 

8 Q. Let me ask you this about EDAC. Does EDAC help 

9 prevent memory corruption? 

10 A. Yes, it does. And NASA was concerned about if there 

11 what bit flip due do EMI or some other hardware effect, 

12 could that cause a UA. And NASA relies on the fact that 

13 there's no EDAC when reaching its decision that that 

14 can't happen. 

15 Q. Because they believe -- 

16 A. Because they believe EDAC is in it. And 

17 furthermore, Toyota redacted or suggested redactions that 

18 were made in the NASA report almost everywhere the word 

19 EDAC appears it's redacted. So someone at Toyota knew 

20 that NASA thought that enough to redact from the public 

21 that false information. 

22 MR. BIBB: Objection, Your Honor, now he's 

23 interpreting, I move to strike that last piece of 

24 testimony. 

25 THE COURT: I'm not going to strike it but move 
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1 

on . 

2 

Q. (BY. MR. BAKER) Let's go to the next line? 

3 

A. Just the point really is, if they were confident 

4 

that they didn't need EDAC, why left NASA believe it if 

5 

they had some other explanation. 

6 

MR. BIBB: Objection. 

7 

THE COURT: Sustained. I'll strike that last 

8 

answer . 

9 

THE WITNESS: I'm sorry. I misunderstood. 

10 

THE COURT: Is this the last slide on software? 

11 

MR. BAKER: We can break if you need. 

12 

THE COURT: Why don't we do that. It is now 

13 

3:00, we're going to take a 15 minute afternoon break. I 

14 

remind you during the break, do not discuss the case, do 

15 

not form any opinions and get lots of caffeine. 

16 

(THE FOLLOWING PROCEEDINGS WERE HAD AT THE BENCH 

17 

OUTSIDE OF THE HEARING OF THE JURY.) 

18 

THE COURT: Were back on the record outside of 

19 

the presence of the jury. 

20 

Go ahead, Mr. Bibb. 

21 

MR. BIBB: As I understand, the plaintiff 

22 

intends now to offer most of the other incidents that are 

23 

identified in Mr. Barr's report, am I correct Mr. Baker? 

24 

MR. BAKER: Yes, sir. 

25 

MR. BIBB: Our objections to that would be to 
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the extent there are incidents that occurred after the 
date of the incident in this case, which is September -- 
back September 2007 or after the date of this vehicle was 
sold after August of 2005, that those can only be offered 
for purposes of trying to show defect in this vehicle. 

And plaintiff has a high burden of showing substantial 
similarity with those and it is the plaintiff's burden, 
so I think we're going to have to do more than just ask 
Mr. Barr to describe them to jury. We're going to have 
to have some sort of hearing on each one of them as to 
whether they are, in fact, substantially similar. And I 
understand the Court is interested in the type of 
software, but again you've got to look at the type of 
incident. There are short duration incidents, long 
duration incidents and I think that you're going to have 
make more of a showing than plaintiff intends to talk 
about . 

MR. CLARK: A particular problem is the problem 

that we got into on Friday with regard to those vehicles 
that have six cylinder engines, because I think the 
Court's already seen the PowerPoint is full of 
limitations, you know, limitations to the L4 . There has 
been some sort of discussion of some differences between 
the four cylinder and six cylinder. For instance, EDAC 
is present in the later six cylinder engines, something 
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1 we just ended with. And it's certainly our position that 

2 Mr. Barr saying that the four cylinder and six cylinder 

3 are substantially similar to my purposes, which I think 

4 is the gist of his testimony, is not a sufficient 

5 foundation. The evidence is undisputed that there are 

6 significant hardware and software differences between the 

7 two engines. In fact, the older six cylinder Camrys have 

8 an extra CPU in them. 

9 THE COURT: Mr. Baker. 

10 MR. BAKER: Your Honor gave us guidelines that 

11 you anticipated you would follow in looking at these 

12 defects, and also refute the position taken by the 

13 defendants as to reasons they can be both. The Court at 

14 that time said whether it's pulling into a parking lot or 

15 merging onto traffic is not necessarily a big factor that 

16 you were going to consider, that you were more concerned 

17 about is that software defect issue that was looked at by 

18 Mr. Barr substantially similar. I've already set a lot 

19 of the predicate already. I specifically had him 

20 describe 2002 to 2010 Camry's, the L4 and E6s where he 

21 said the software was substantially similar, that they 

22 also had the same operating system, which I'll reiterate. 

23 The ones in his report are all Camrys and so I would only 

24 ask him about one's he specifically reviewed and relied 

25 on in part of his analysis in this case. 
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88 

MR. CLARK: Your Honor, on this slide we've got 

some bullet points -- 

THE COURT: Which page? 

MR. CLARK: 55. I'm sorry. Mr. Bibb was 

talking about having to have a mini hearing on these and 
that's exactly right. There's at least one of these 
vehicles in his report that does in fact have an all 
weather floor mat present in the vehicle and it's in his 
report anyway. Obviously we are going to have examine 
him about that. And you know, this is sort of getting 
into the 403 issues and a waste of jury time and the 
cumulativeness and the confusion of the issues that I 
think we've already briefed and already argued, we would 
reiterate here, because whether or not a particular 
incident that postdates Mrs. Bookout ' s crash was caused 
by a floor mat is wholly irrelevant to what this jury has 
to decide. 

THE COURT: Which one of these did you say -- 

did you find specifically there was a floor mat issue? 

MR. CLARK: Ms. Preese-Morrison testified that 

she had a plastic floor mat that she bought at Walmart 
that was on top of her -- 

THE COURT: I just read her deposition during 

the lunch hour and she was very clear -- at least her 
testimony, she was very clear that she had the officer 


THIS TRANSCRIPT IS NOT PROOFREAD 



89 


look at it, so. 

MR. CLARK: That's right, but that is not what 

Mr. Barr's sides says. Mr. Barr's slide says no all 
weather floor mat. 

THE COURT: And you certainly attack him or 

critique him on that on cross examination. Is there 
another that you think -- because I see a lot of these he 
says no floor mat. 

MR. CLARK: We can go through one by one. 

THE COURT: I don't care to do that. Was that 

the one you were specifically referencing? 

MR. CLARK: That was the one I was thinking of. 

I think Gomez was in his Van Alfen report and he took 
that out. That's another one. 

THE COURT: Let me tell you. I had made notes 

on what he was saying about these and he said for the 
2002-10 Camry models that the operating systems are 
substantially similar as were the software systems 
substantially similar. And that he talked about a whole 
chapter one that discusses the similarity of it. I had 
another notation on his slide 43 where he specifically 
says that this particular software is the same in 
everything from 2005 to 8. And there are only two of 
these or three of these perhaps that I tabbed that were 
actually nine, but I think were included in the first -- 
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in his statement having to do with this chart on page 
five. But Mr. Baker, has address, and again, I don't 
know other than hearing it in argument that I've heard 
anybody say that the V4 or V6 that the engine size 
changes anything. 

MR. BAKER: I asked him specifically that 
question and he said the software was substantially the 
same . 

THE COURT: Regardless of the engine size? 

MR. BAKER: In terms of this defect. 

THE COURT: Right. And then I did notice in 
terms of going through, and again, I haven't read each 
one of these, but I did notice that there is additional 
stuff in here about people die and say they are going to 
die or they're severely injured, or going off a sheer 
cliff . 

MR. BAKER: I'm not going to -- I'm just going 

to ask factually about what happened in the UA event, not 
who died or who got hurt. I will instruct the witness 
not talk about that. 

MR. BIBB: As I understand. Your Honor, the 

facts and circumstances of these accidents vastly 
different between the circumstances in this case, you can 
still admit them. The first one. Hill, was attempting to 
enter a parking space where the vehicle suddenly 
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1 accelerated. A very low speed, very short duration, very 

2 confined area. The factual differences between many of 

3 these incidents and the crash in this case which was a 

4 high-speed exiting of a freeway. 

5 THE COURT: But I don't think there has been 

6 any evidence, correct me if I'm wrong, that has said that 

7 if -- because Toyota's position has always position has 

8 been, this just didn't happen. But from the plaintiff 

9 has there been any evidence that task death would perhaps 

10 only occur when it's a long term as opposed to a short 

11 term? I mean, it happens and then it lasts whatever 

12 length of time it might last until there is an accident 

13 or it stops? 

14 MR. BAKER: That's right. And he specifically 

15 used these events as part of his root cause analysis to 

16 come to the conclusion. 

17 MR. CLARK: Something that is important. Your 

18 Honor, is that Mr. Barr's testified, that if the incident 

19 starts with a foot off the pedal, or a foot on the 

20 accelerator pedal, and then the driver brakes, then the 

21 brake echo function is going to close the throttle and 

22 eventually stall the vehicle after That was 

23 his testimony. That was the only testimony that we've 

24 heard. So if you take one like -- let's see. Hazel is a 

25 good example, 77 and 85, apparently didn't begin with a 
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1 foot on the brake and once the event began she applies 

2 the brakes. That takes us out of the similarity of these 

3 incidents that allegedly begin with the foot on the brake 

4 where he's testified that it's absurd to expect somebody 

5 to remove their from the brake. 

6 THE COURT: Mr. Baker, are there certain ones 

7 of these that it's undisputed that the foot was on the 

8 brake all along so that this brake echo should have 

9 kicked in? 

10 MR. BAKER: I don't know that the answer to 

11 that. Your Honor. I viewed these as part of this 

12 analysis. I think whether the foot was on the brake when 

13 this started, then goes to the weight of it, not to its 

14 admissibility. And part of this is to refute Toyota's 

15 position that this doesn't ever happen. 

16 MR. CLARK: Doesn't go to weight versus 

17 admissibility. Your Honor, it goes to whether it's 

18 similar or not. Nassar is another good example of that. 

19 This fellow was entering the highway. I've entered a lot 

20 of highways, I'm sure the Court has too, and I always 

21 enter highways with my foot on the gas pedal, so that one 

22 pretty clearly there's is transition that takes it out of 

23 similarity. 81 and 85, I'm sorry, the top of that page. 

24 THE COURT: Where is it in 81 that you said he 

25 had his foot on the brake? 
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1 MR. CLARK: He said the incident started on the 

2 second or third lines, while driving in New Jersey. He 

3 reported that while he was entering the highway the 

4 vehicle wanted to continue to accelerate. I'll admit 

5 from that we don't know for sure what pedal his foot was 

6 on, but it seems to me you're entering the highway pretty 

7 likely the foot is on the accelerator pedal. He goes 

8 then from the accelerator to the brake. And Mr. Barr has 

9 said brake echo should work in that situation, it should 

10 close the throttle. I think that is undisputed. 

11 THE COURT: Let me ask, isn't this all being 

12 offered just for the purposes of refuting Toyota's claim 

13 that these situations don't exist. And you're not 

14 claiming that the brake echo wouldn't — was there a 

15 brake echo in this car? 

16 MR. CLARK: Yes. 

17 THE COURT: So you're not saying the brake echo 

18 system, you're just offering these for the purpose of 

19 showing that unintended accelerations, some of them brake 

20 echo may have kicked in because the way of foot was 

21 applied. 

22 I'm going to allow these with the caveat being none 

23 of the details about describing the accident or people 

24 who were injured, statements in it. 

25 MR. CLARK: Are we to understand then that the 
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universe of other incidents in this case is limited to 
the ones that Mr. Barr has described? 

THE COURT: No. And we will discuss that in 

more detail. One of the depositions that you all gave me 
had somebody reading through a bunch of reports and we'll 
be discussing those outside the presence of the jury as 
to which if any of those are going to come in. But right 
now I would say you're probably well taken because if he 
hasn't laid a foundation and it wasn't a preaccident, I 
don't know how else they are going to get their 
foundation laid. Okay. 

(THE FOLLOWING PROCEEDINGS WERE HAD WITHIN THE 

HEARING OF THE JURY AS FOLLOWS : ) 

THE COURT: We're on the record. The members 

of the jury are present as well as counsel and their 
clients. Mr. Barr is still on the stand and still under 
oath and you may continue -- how about this, you may 
conclude your direct examination. 

Q. (BY. MR. BAKER) Looking at this slide how Toyota's 
inadequate software process, I think we heard a little 
bit of this from Dr. Koopman. Can you briefly tell us 
why you put it in your slide presentation? 

A. Yes. What I conclude from reviewing the documents 
and examining Toyota's source code and other things, is 
that while Toyota has a reputation for being a quality 
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producer of mechanical automobiles, that internally their 
software process was inadequate, and you know, they 
lacked internal expertise in a number of areas. This is 
their own internal document where this is a software 
development process that they've laid out. And each of 
boxes that's in pink with an X, Toyota is saying we don't 
have knowledge inside Toyota, we're entirely relying on 
our suppliers for these areas. 

And then in the same document there is a process in 
place for hardware and not software. In my consulting 
practice, in imbedded systems of various kinds, I've seen 
over the years that there is not really very many 
companies that just specialize in Imbedded software. But 
most companies that make an imbedded product they make 
the product first and then they end up with software 
inside . 

So they make cars first and then they end up with 
software inside them. They make microwave ovens first 
and end up with software inside them, et cetera. 

And so what I see Toyota came late to the software 
process, maybe, I don't know about current cars, but 
maybe they've improved things. This was part of a 
document where they were trying to improve things 
starting about 2007, with the 2012 model year. 

But at this time when these vehicles were being 
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1 made, including the 2005 Camry, they did not have an 

2 adequate oversight or training of their suppliers or 

3 engineers, they didn't have an enough staff in this area, 

4 et cetera. 

5 Q. Have you reached a conclusion whether you what 

6 determine to be an inadequate software process le to the 

7 defective software you're going to describe? 

8 A. Yes. 

9 Q. What's your opinion? 

10 A. It's my opinion that that lack of process led to the 

11 defects and the detects led to the UA that's described. 

12 Q. Let's go to the next slide. This again relates to 

13 the process and the culture within Toyota? 

14 A. That's correct. 

15 Q. And what is this document? 

16 A. This is a document that's an internal Toyota 

17 document. You can see Mr.Kawana was one of the 

18 recipients. But it's dated around the same time as those 

19 business review documents about their software process 

20 and their spaghetti code. It's in September of 2007. And 

21 I pull out this quote here from this email where the 

22 author is saying "In truth technology such as failsafe is 

23 not part of the Toyota's engineering division's DNA." 

24 And it continues, "But isn't it good that it is 

25 recognized as one of the major strengths of Toyota and 
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1 its system controls industry." 

2 And then I highlighted also the portion that says, 

3 "Continuing on as is would not be a good thing." 

4 Q. What does this tell you about your review of the 

5 documents? 

6 A. My interpretation is that inside Toyota there was a 

7 growing recognition that they were not designing safe 

8 cars . 

9 Q. In terms of the software? 

10 A. In terms of the software, that's right. 

11 Q. The next one, we've talked a little bit about NASA, 

12 you included in your chart, is that the NASA report? 

13 A. Yes. On page 78 of the NASA report, NASA report had 

14 some chapters also, they called them appendices, but in 

15 the main report at page 78 they had a table where they 

16 laid out some possible ways that UA could happen in 

17 Toyota vehicles and there were two they couldn't rule 

18 out. I talked about them earlier. One was if both 

19 accelerator pedal sensors failed at the same time or 

20 failed together, then the software had no way of knowing 

21 that. 

22 The other was exactly what I've described here, a 

23 systematic malfunction of the main CPU software that is 

24 not defected or not detected in time by the monitor CPU. 

25 And so the quotes on the bullets match up with the 
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1 highlighted portions of NASA's assessment of what that 

2 would be like. They are saying that the fault would 

3 escape detection, so a single memory corruption would 

4 result in UA. Default would escape detection because 

5 there wouldn't be an EDAC error. And it turns out there 

6 is no EDAC to cause an error. 

7 The idle fuel cut would not be active. The reason 

8 for that is because it's one of the five failsafes that 

9 are in the task X. 

10 The watchdog would continue to be serviced. 

11 Q. What does that mean? 

12 A. Serviced means -- a lot of words are used for these 

13 watchdogs. You can kick the watchdog, pet the watchdog, 

14 stroke the watchdog. NASA used the word service. 

15 Service the watchdog, means checking in from time to time 

16 to say everything is okay. So NASA is saying during this 

17 defect the watchdog timer would still have to be getting 

18 kicked or checked in with. And indeed, Toyota's 

19 defective watchdog software will continue to check in and 

20 doesn't detect the task death. 

21 Q. And the monitor CPU? 

22 A. And the monitor CPU doesn't detect the failure and 

23 here because it's not designed to. Even the brake echo 

24 check that sometimes has detected and caused a sharp 

25 throttle and engine stall after the driver has acted 
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1 after the UA has occurred, it wasn't designed to do that. 

2 It's inadvertently doing that. And the way you can tell 

3 it's inadvertent is because no designer would design a 

4 safety system where the driver of a car that is 

5 accelerating away from them had to release the brake. 

6 Even in some cases. And I haven't a Toyota Camry users 

7 manual that says, if your car is accelerating and you 

8 don't want it to, try braking. If that doesn't work, try 

9 not braking. 

10 Q. Are we done with this one? 

11 A I think so. 

12 Q. I think this is a point raised by Dr. Koopman about 

13 single point failure, is that significant to you? 

14 A. Well, it's significant because it's a very point in 

15 safety critical system design. We don't want any single 

16 points of failure. And Dr. Koopman used a nice example 

17 of an airplane with one engine, or an airplane with two 

18 engines that had a common failure mode such as one fuel 

19 pump. And so this car shouldn't have single points of 

20 failure in it. And that is a normal mode of design for 

21 automotive safety systems. 

22 Toyota tried to mitigate the risks of things like 

23 this happening, including in software, but they missed 

24 some of the single points of failure. And that is what 

25 happens when you focus on the trees and not on the forest 
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1 of having an actual safety process adopting a big MISRA 

2 like safety software building process and hardware design 

3 process. 

4 And so some of the faults, some of the single points 

5 of failure are getting through gaps in the failsafes. 

6 Like Dr. Koopman said, there may be misbehaviors of 

7 Toyota vehicles that are getting caught by failsafes. 

8 What's really at issue here is that sometimes not only 

9 are there misbehaviors but they are slipping through the 

10 failsafes, and those are the ones that get complained 

11 about and those are the ones that injure people. 

12 Q. Go to the next slide. 

13 A So as I stated, there are single points of failure 

14 in the ETCS. Some of these have been demonstrated but 

15 not all of the ones that we've identified have been 

16 demonstrated in the vehicles. 

17 And task death, although I focused a lot of task X 

18 here, because it does so much and it does throttle 

19 control and it does failsafe, it's pretty important, but 

20 there is tasks and they can die in different 

21 combinations. It could be task 3 and task X, or task 3 

22 and task 7 and task X, or just task 9. And those can 

23 cause an unpredictable range of vehicle misbehaviors. It 

24 turns out that unintended acceleration is just the most 

25 dangerous thing your car can do when it malfunctions. 


THIS TRANSCRIPT IS NOT PROOFREAD 



101 


1 The most thing dangerous thing your iPhone can do is 

2 crash or not let you call 911. The most dangerous thing 

3 your car can do is shoot down the road. So other lesser 

4 software malfunctions also likely occur, but those are 

5 the ones that get reported is these dangerous, the ones 

6 that cause harm. 

7 MR. BAKER: Can we approach. Your Honor? 

8 THE COURT: Yes. 

9 (A DISCUSSION WAS HAD OFF THE RECORD.) 

10 THE COURT: Ladies and gentlemen, this next 

11 document is going to have source code information on it 

12 again, so if you not been authorized to view the source 

13 code, please leave the courtroom. 

14 Q. (BY. MR. BAKER) Go to the next line. You just 

15 finished testifying about other tasks not being 

16 identified when they die? 

17 A. Correct. 

18 Q. Is this chart associated with your work that has 

19 shown that? 

20 A. That's correct. So the vast majority of the testing 

21 that has been conducted by either side's experts to date 

22 has involved killing just one task at a time. So each of 

23 the have been tried. And so I've put together this 

24 table with tasks. It's not their names and the source 

25 code that are here, but it's just a brief description of 
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1 the task to help me remember how to talk about them. 

2 And then what things have happened in the tests that 

3 have been conducted by Mr. Louden, and also by Toyota's 

4 expert Mr. Arora. And so this is a summary chart and it 

5 talks about those things. 

6 Q. And so of these in this chart where we see some 

7 reaction by the software and then not detected by the 

8 software, is that an instance where just a single task 

9 was killed? 

10 A. Right. So there has also been some testing where 

11 task X was killed and one other task was killed, not 

12 referring to that here. Just referring to task where one 

13 task was killed. It's as though one of the 

14 programmers on the Toyota team never showed up for work 

15 in your car at that point. So what happened in the car. 

16 We already heard a lot about task X death by itself, and 

17 that's if the driver changes the state of the brake 

18 pedal, then the throttle will get cut and 

19 later the car will stall. And I put in parenthesis that 

20 that's the echo check. That is the brake echo check 

21 that's detecting that. 

22 Q. And that we discussed application of the brake in 

23 the sequence of an UA, correct? 

24 A. Right. 

25 Q. If we've got a person who has their foot on the 
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1 brake, but they -- I'm going to describe it as a pumping 

2 action, but they come back and forth pressing on the 

3 brake up and down, will that reset this echo and make it 

4 work every time that occurs, or is there something 

5 special that has to happen? 

6 A. No, pumping can be without a full release of the 

7 pedal. You just move your ankle, you go up and down, but 

8 never really let off the pedal. If you don't let off 

9 pedal then it will go on forever. 

10 Q. Is there a special, what I'll call a brake switch 

11 for lack of a term, within the mechanical brake system 

12 that has to do some special function in order for it to 

13 reset for this echo to work? 

14 A. That's correct. First of all, the switch has to 

15 open, and then also it has to be held open at least 

16 of a second before this brake echo will do 

17 anything. 

18 Q. So we can have brake application and be within the 

19 constraints you just defined and not turn over the brake 

20 switch, and it won't cause this brake echo to come on? 

21 A. That's true. And that's a good point because my 

22 slide just says brake change, but it has to be a brake 

23 change of a sustained duration. It can't just be a pump 

24 that doesn't let fully off. I was trying to summarize 

25 things here mostly so I could explain them. 
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1 Q. In terms of the other ones here that you show us, 

2 should there have been something within the software that 

3 detected the death of one of the any of them, that 

4 were supposed to be running? 

5 A. Absolutely. There should have been something that 

6 detected the death of any one of them as quickly as 

7 possible and reset the ECM in order. 

8 Q. Once you have detected the death of any of them -- 

9 A. The one that makes sense to me is the watchdog 

10 supervisor. That is the easiest place to do it. That's 

11 the place where most people do it. The monitor CPU can't 

12 see which tasks are running necessarily, doesn't have 

13 visibility to all of them, but the watchdog supervisor 

14 should, and should have been designed that way. 

15 Q. So, we exclude task X, and we just look at the other 

16 tasks, I think I counted is that right? 

17 A. I think that's the same number that is in my report, 

18 yeah. 

19 Q. So of the tasks, excluding X, if of them were 

20 to die, system failed, is there anything that is going to 

21 detect it? 

22 A. There is nothing that detects it. So not even 

23 changing the brake switch detects it, so you have all 

24 these other tasks that are supposed to be doing 

25 something. For example, if spark on cylinder number one. 
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if that task never runs again, then you're not going to 
have a spark in the first cylinder. Now, that is not 
going to because a UA, but it is an issue. You are not 
burning the gas, it's exhausting out of your exhaust pipe 
every time that the cylinder goes up and down. 

Q. Have you reached a conclusion on whether this shows 
a defect in the software? 

A I have . 

Q. What's your opinion? 

A. My opinion is that the watchdog is defective and 
should have detected all of them quickly as possible. 

Q. And if a watchdog detects them, what are they 
supposed to do? 

A What the watchdog should do, and the one I believe 
that it will do is for this one millisecond task, if that 
task dies and doesn't run again, then the watchdog 
correctly resets the ECM in that case, it actually 
happens very quickly. It can happen within one 
millisecond plus the millisecond reset time. so in 

that 11 feet at 60 miles an hour, less feet. At half the 
speed it's five feet. 

Q. And to the extent you can, can you describe for us 
what a vehicle would do in the vent you have a reset if 
you're driving down the road? 

A. I'm familiar with testing that's been done with 
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respect to resetting ECM, in a couple of different ways, 
by killing, for example, that one millisecond task and 
also by just forcing a reset electrically. And the 
observation has been that if you were sitting at a stop 
sign, it's possible your car will stall when it resets 
because the engine is turning slowly. But if you're 
driving down the road you'll see the RPM drop briefly and 
then it will go back and continue. 

Q. All right. Let's move to the next slide. 

MR. BAKER: Your Honor, at this point I think 

we can let everybody back in. 

THE COURT: Okay. We will continue on. 

Q. (BY. MR. BAKER) When you say that the test is 
effectively infinite, what do you mean by that? 

A. Well, there are so many different combinations of 
ways and times when this can happen that it's impossible 
to test them all. It would take a vast amount of 
resources, resources that I don't have in the source code 
room, but resources that even Toyota doesn't have with 
their, you know, actual vehicles and test tracks and test 
engineers and, you know. It's not something you can test 
into submission. Because just looking at the number of 
tasks deaths, each one can die by itself. That is just 
m combinations. All could die at once. That is just 
one combination. 
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1 But when you add up all the ways that just two can 

2 die, or just three can die or just four can die, it turns 

3 out to be over 16 million possible combinations of task 

4 death. So how are we supposed to test task X, which 

5 we've already demonstrated UA, and all the other tasks 

6 that can die with, you know, one other task death, two 

7 other tasks dead, three other task dead. And then it 

8 actually gets harder than that because each task can die 

9 in different vehicle operating states. We've a seen one 

10 of those perfect examples, is if it dies when the brake 

11 was already pressed, any amount of press, lightly pressed 

12 or fully pressed, then it's completely different outcome 

13 than if the brake was not pressed. 

14 And the same is true for if the cruise is on, not 

15 on. It matters also what happens next. For example, on 

16 that prior slide there was one task that was not 

17 detected. That task is involved in shifting the 

18 transmission. None of the testing to date that I'm aware 

19 of from either side has caused a transmission shift after 

20 killing that task. 

21 Well, in an automatic transmission, you know, in a 

22 manual you move the gear. In an automatic transmission 

23 in Toyota's design software pushes electrons and 

24 electrons push something mechanic. And if the task that 

25 does that doesn't do that then your transmission is in an 
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indeterminate state, and what if you needed to downshift 
or upshift in order for proper vehicle behavior. 

So just killing that one task and saying no observed 
behavior, as Toyota's expert does, that's not enough 
information. We have to test all the things that the 
driver might do next, including if the vehicle then 
misbehaves, what will they do after that? Will they 
press the brake or not, pump or not, et cetera. 

And there's also in addition internal software 
states. I talked about a million lines of code, 11,000 
global variables. You would have to test each 
combination of task death in all of those different 
system states in order to -- basically there's too many 
tests to construct to be sure that nothing even worse 
could happen. That is, for example, an unintended 
acceleration, where no matter what you do with the brake 
pedal, let go of it or try it, the car won't stop. 

Q. Is that infinite number of test combinations a 
reason for having a reasonable and appropriate design 
structure in place? 

A. Yes. This is exactly the reason why you have to 
follow a process like Dr. Koopman says you have to when 
you're designing a safety critical system. Because those 
processes are designed so that even if you get something 
wrong on the main CPU, because you have two independent 
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fault containment regions, the failure of one can be 
detected by the other, and it depends on whether it's an 
airplane or a car, what's the best thing to do, but when 
that's detected as, I don't agree with you and we both 
have an independent view of what should be going on, then 
you do something safe. 

Obviously, in an airplane you don't just stop the 
engines and fall out of the sky. You have to do 
something else. But a car you do the safest thing you 
can with that scenario under what's known. What's working 
and not working. 

Q. In a software development process we talked about. 
Dr. Koopman talked about, is the process just as 
important as the testing? 

A. The testing -- I'm not going to say that vehicle 
testing like Toyota does is not important. It is 
important. But it tends to find the bugs that happen 
frequently. The ones that happen to everybody everyday. 
It doesn't happen to find the rare ones. So the process 
is equally important if not more important, because the 
process is what makes sure that even if you have bugs in 
there, which there will be, that those bugs and defects 
won't get through and cause a dangerous harm. 

Q. Anything else with this slide? 

A. Right. So in that infinite space based on reading 
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the source code we were able to pick out a particular 
bit. We were interested in task X and what would happen 
from reading the source code and we were able to simulate 
in the code room that if we killed it in a certain way -- 
actually there's a couple of ways it could happen -- that 
that task would die and not run anymore. 

And that ' s what we could predict would happen and we 
have test sampling from within that infinite space that 
confirms that Toyota, when they say we have layers of 
failsafe and you know, when they tell that to Congress 
and they tell that to NASA and they tell that to you, 
that's inadequate. That's not enough. They should have 
had the process in place. 

Q. All right. Before we go to the next line, I did 
want to ask you. I think you told us earlier about your 
conclusions in terms of this case, but can you tell what 
you understand the facts to be in terms of the Bookout 
accident ? 

A. Sure. I understand that Ms. Bookout was driving a 
2005 Camry, that she was driving south on highway, I 
believe it's called 69 near Eufaula, and that she was 
approaching an exist ramp and began to exit and slowed 
her vehicle, and that at some point on the exit ramp the 
car was not slowing when she was braking. And that she 
pumped the brakes in response, and told her passenger 
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1 what was going on. And that a little bit further down 

2 the ramp her passenger suggested pulling on the parking 

3 brake. And there are indications that the parking brake 

4 was indeed pulled and this resulted either from the 

5 parking brake or the service brakes or both in a skid 

6 mark of 150 leading to a crash site in a ditch passed a 

7 stop sign at the end of the exit ramp. 

8 Q. Is it accurate to say in terms of the specific 

9 details about the reconstruction, you're leaving that 

10 Mr. McCort? 

11 A. Yes. 

12 Q. Okay. Do you have an ultimate conclusion in this 

13 case as to why the vehicle would not slow down in the 

14 scenario you described for us? 

15 A. I do . 

16 Q. What is that conclusion? 

17 A. My conclusion is that a software defect has caused 

18 the unintended acceleration which could not be stopped 

19 through the pumping of the brakes and the braking. Not 

20 in time anyway to avoid the crash. 

21 Q. And in terms of the specific task and death or how 

22 this occurred in this case, have you got some sample 

23 testing to show us about how you demonstrate that? 

24 A. Yes, I have another vehicle test that was performed. 

25 Q. Let's go to that slide. Tell us about this. Is 
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this one of the tests or combinations that Mr. Louden 
did? 

A. Yes, sir. This is testing that was performed in a 
2005 Camry by Mr. Louden and documented in his report in 
the Saint John case. 

Generally we're looking at several different data 
plots of different signals that he was collecting during 
this. And I'm going to walk you through it step by step, 
but let me just generally orient you. That the red up 
here on the top is how fast the car is going. You can 
see that initially in the test starting from about 40 
seconds he accelerated until a speed, I don't know the 
exact speed, I haven't looked at the chart in a while, 
but you can see it's around less than 100 kilometers per 
hour, so it's probably 45 or 50 miles an hour here. And 
then at the time of the dotted line, he's killed the 
task, and then he's collected some various data along the 
way. And we'll talk about what each of these mean in 
just a minute. 

So you can see the dotted line of killing the task 
is at a time 59. So the first thing you notice is that 
the vehicle speed is about 45 miles an hour. I'm not 
being too precise there, might be closer to 50. And so, 
the next thing to notice is that you see this orange 
arrow right here, this is showing that just after the 
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1 task died Mr. Louden let off the gas pedal. He had been 

2 accelerating steadily, he lets off here but, the speed of 

3 the vehicle remains 45 miles an hour. It's not 

4 responsive, so we have a loss of throttle control at that 

5 point. 

6 To demonstrate that further, Mr. Louden shows that 

7 even if he tries now, let's say he wants to avoid an 

8 obstacle on the road or another car, he tries to use the 

9 accelerator, nothing happens. There is no change in the 

10 vehicle speed, no failsafe kicks in or anything like 

11 that. In fact, none of failsafes act in any way, if 

12 we're greater than 30 seconds in this test, ranging from 

13 just before 60 to -- right about here we have something a 

14 little bit before 100 that that happens, so maybe 35 

15 seconds or so. 

16 And if you look here, what's happened at the end 

17 that's caused this throttle cut and an engine stall 

18 later is that Mr. Louden has let off the brake 

19 pedal, right here. So, because he was on the brake pedal 

20 even lightly when this task death occurred, you see the 

21 brake signal is this solid line is on, and then it goes 

22 down it's off the green line, so at that time he's let 

23 off the brake. And it's then about 

24 after that that the throttle is cut by the brake echo in 

25 the monitor CPO. And then after that we 


THIS TRANSCRIPT IS NOT PROOFREAD 






114 


1 get an engine stall. And then because we're on the 

2 dynamometer we don't see the vehicle drop off before his 

3 test data collection ends. 

4 Q. So he has his foot on the brake at the beginning of 

5 this particular test? 

6 A. That's correct. 

7 Q. And is this a test that explains to you that the 

8 foot on the brake, the UA can continue on? 

9 A. Yes, I mean, my opinion is based on more than just 

10 this test, but this test is supportive of my opinion, 

11 that's correct. 

12 Q. And let's move on -- before we go on to the next 

13 slide. Let me ask you a couple of questions. 

14 This explains to us what can happen when you have a 

15 task death occurs, correct? 

16 A. That's correct. That's one of the possible 

17 outcomes. 

18 Q. And it shows or demonstrates or at least is 

19 supportive of what you said having a foot on the brake 

20 when it happens? 

21 A. That's correct. 

22 Q. And we've gone through a lot and I just want to try 

23 to bring it altogether if I can. And please correct me 

24 if I'm wrong. Task X dies in this test? 

25 A. Right, so this test is a task X death only. 
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1 Q. Task X contains throttle angle, throttle -- all 

2 sorts of things? 

3 A. Including failsafes, that's correct. 

4 Q. And you've told us I believe that one of the ways 

5 that task X can die if there is memory corruption? 

6 A. That's correct. 

7 Q. And if we have a memory corruption, task X dies, we 

8 have a corruption with the throttle angle variables? 

9 A But then the throttle can open wider or close, 

10 depending upon what the corruption value is. 

11 Q. Is this sort of a scenario that you think more 

12 likely than not occurred with Mrs. Bookout? 

13 A. Yes. I would just clarify that it may have involved 

14 other task deaths beyond just task X. 

15 Q. But it's task X that creates the UA? 

16 A. I believe so, yes. 

17 Q. Let's move on to the next slide. Talk about the -- 

18 did you do what's called a root cause analysis to reach 

19 your final opinions in this case? 

20 A I did. 

21 Q. Tell me what a root cause analysis is? 

22 A. Sure. A root cause analysis is a consideration of 

23 all of the possible factors that could have lead to, for 

24 example, a car accident or some other incident. 

25 And so, when doing a root cause analysis, it is 
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1 appropriate and scientific to consider all of the 

2 possible things that could have been involved. And so, 

3 for example, considering mechanical causes, like a 

4 mechanically stuck throttle; considering electrical 

5 causes and software causes; and also considering whether 

6 there could have been something like a pedal that was 

7 trapped under a — a gas pedal that was trapped under a 

8 floor mat; or a pedal misapplication, human mistake. 

9 Q. So in this case would you have considered other 

10 potential causes of a UA in eliminating those based on 

11 your analysis? 

12 A. Yes. So in each case I studied the evidence, 

13 whether the evidence supported that as a cause or not, 

14 how strong the evidence was in relation to other evidence 

15 supporting other causes. 

16 In some case I was able to rule out entirely a 

17 particular cause. For example, the pedal entrapment by a 

18 floor mat does not -- there is no evidence to support 

19 that in this case. And I went through step-by-step, 

20 including the software and other factors. 

21 Q. Is it listed in here in a slide? 

22 A. Yes, at a high level. 

23 Q. And as far as this, did you also consider the sworn 

24 testimony we talked about earlier today of other people 

25 who claimed to have experienced similar unintended 
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1 acceleration? 

2 A. I did. 

3 Q. And in that process would you have looked at more 

4 specific things related to their occurrences in order to 

5 say they were substantially similar to this one? 

6 A. I have. 

7 Q. And did you include a list of those within your 

8 report that you used in this case? 

9 A. I did. 

10 Q. We'll go through the fact that you looked at it in a 

11 minute but I just want to make sure that those vehicles, 

12 are they all Camry's? 

13 A. Yes. I looked at 2005 to 2009 Camry's. 

14 Q. And in that range, would you consider the software 

15 related to the UA defect that you discussed today was 

16 substantially similar? 

17 A Yes. 

18 Q. Continuing on with -- so you evaluated what you put 

19 up here you think is the cause? 

20 A. Right. 

21 Q. Were you able to rule those out? 

22 A. In some case I was able to rule them out. In some 

23 cases I ultimately concluded that they were less likely 

24 than the software cause. 

25 Q. And let's go to the next slide. 
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Now, are you here to tell us that, 100 percent, you 
know what defect caused this wreck? 

A . No . 

Q. Are you telling us more likely than not what defect 
caused it? 

A. Yes. 

Q. And is it the UA we just discussed with the death -- 
A. That's my opinion, yes. 

Q. Under same or similar circumstances to the some of 
testing? 

A. That's correct. 

Q. Go to the next one. By the way, is it possible to 
tell a defect in the software? 

A . No . 

Q. And does it relate back to the incident number of 
tests that would be required that are not capable? 

A One reason is because of the large space of possible 
things that could have occurred. Another factor is that, 
unlike many safety critical systems I'm familiar with, 
there is essentially no logging of what happens inside 
Toyota's system. There is no, oh, we reset the processor 
at this time or, you know, just before the crash, for 
example, there is no information about the internal 
software state, how many tests were running or not 
running, what they were doing. 
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Effectively, you can think of it as when you reboot 
the engine, all of the evidence of what happened before 
is deleted. 

Q. This jury has been told several times that the 
vehicle had been inspected and there was no mechanical 
problem with the engine or brakes or anything like that. 

Assuming that to be true, what would that tell you 
as a software person? 

A. Well, the inability to find any prior mechanical 
problem or mechanical problem after the accident is 
actually supportive of a software malfunction theory. 
That's what software does. It casts a misbehavior that 
doesn't leave any stuck mechanical throttle. 

You know, a mechanical cause like a bent pedal or a 
stuck throttle can move mechanically, would leave 
evidence that the car might have malfunctioned before the 
incident or it would have maintained evidence after the 
incident . 

So the software cause is -- the case where a 
software cause is strengthened by the lack of mechanical 
findings in inspection. 

Q. In order to assess the software issues, you have to 
go through what we've only gone through here for the last 
four or five hours, you have to go through that process? 
A. Yes. 
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1 

Q. All right. The next point, please. 

2 

A. So to a reasonable degree of engineering certainty. 

3 

it's my opinion that it was more likely than not, a task 

4 

X death, possibly in combination with other tasks that 

5 

occurred that day, causing a loss of throttle control and 

6 

in inability to stop the vehicle's full momentum because 

7 

of the vacuum loss. So she had a vacuum loss in the 

8 

brake when Ms. Bookout pumped the brake. 

9 

Q. And you also, as far as your work in this case and 

10 

others Toyota UA cases, had an opportunity to see the 

11 

testimony of Mr. Arora who offers software opinions on 

12 

behalf of Toyota? 

13 

A. Yes. 

14 

Q. Did you happen to see other depositions of other 

15 

experts for Toyota? 

16 

A. Yes. 

17 

Q. Have you become familiar with the positions that 

18 

Toyota has taken in terms of defending whether UA 

19 

occurred? 

20 

A. I have. 

21 

Q. All right. Have you prepared a slide to discuss 

22 

those? 

23 

A. Yes. 

24 

Q. All right. 

25 

A. So back in July of 2012, when I issued my initial 
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1 report, there was also a report that came from Toyota's 

2 expert at the same time. So we exchanged reports in the 

3 blind. And in that report, Mr. Arora took the opinion 

4 that, first of all, that Toyota had various layers of 

5 protection. We talked about hardware fail safe, software 

6 fail safes, system fail safes, et cetera. 

7 But, and this is the important point, that just 

8 because you fail safe layers it's great that there are 

9 fail safes. And undoubtedly they are detecting some 

10 misbehaviors, but that doesn't mean that there aren't 

11 gaps and holes, as we discussed, and defects, even, 

12 within those layers. And Mr. Arora appears not to 

13 consider that. 

14 Additionally, in the same report, he said that those 

15 fail safes would detect any single point of failure, 

16 which obviously has been proven false at this point. 

17 Q. Why do you say they've been proven false? 

18 A. Because we've demonstrated that a single byte can 

19 cause a UA that can go on until you run out of fuel. 

20 Q. All right. Your next point? 

21 A When we published those reports, Mr. Arora' s 

22 response was to do additional vehicle testing that showed 

23 when the task X died it was — the death of that caused 

24 the throttle cut and a engine stall when the driver 

25 braked. 
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And so then Toyota and their experts began to say, 
well, it's not a UA because when the driver brakes, it 
will stop the incident. And I said to them, no, that is 
not designed for that purpose, not 100 percent reliable, 
and depends on the what state the car is in at the time. 
And I told them that in October of last year, about the 
year ago. 

From that time until this summer, Mr. Arora 
continued to say that this was the, quote, unquote, 
designed fail safe of the system, until it became 
apparent that if the UA began with the brake pedal 
pressed to any degree, that it would continue, as I just 
showed in that data, until the driver let go. 

And so most recently in his deposition in this case, 
Mr. Arora says, it depends on how much fuel you have, how 
long this will go on, or your braking ability. 

I just want to go back and I missed this point. If 
that brake echo check was designed by engineers to be a 
fail safe against UA, then it would not be designed to 
require the act -- the driver to act before it acted. 

Fail safes should act before the UA starts, before the 
driver notices, et cetera and not require the driver to 
notice at all or act in some way. 

It would never require that a possible action is 
that the driver would remove their foot from the brake 
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pedal, counter-intuitively, and also increasing a short 
term risk by letting the car speed up. 

As you might not have a lot of braking power against 
a full throttle, but I guarantee you, as you let off on 
that pedal, the car is going to speed up. And if you 
pump back down you're going to lose your vacuum and then 
you're going to fighting the old fashioned way without 
power assist. 

Q. We talked earlier about -- let's go see your next 
slide. You have done 13 chapters of a review of Toyota's 
software? 

A. I have. 

Q. In terms of the experts that have been offered by 
Toyota in these other cases, have they refuted or 
rebutted everything you have written about the system? 

A. Very little, actually. 

Q. Can you show us what they have not? 

A. Yes. And I won't say 100 percent because maybe 
there is some small part of some of these chapters that 
have been rebuttal. So don't tell me to 100 percent. 

But by and large, of the 13 chapters, I believe the 
count is 11 of them are not rebutted or refuted in any 
way. And these involve the stack potential overflow we 
talked about, the code complexity being untestable and 
unmaintainable, not violating -- not following their own 
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coding standard, violating MISRA. 

I guess, technically, the response there is that 
they didn't have to follow MISRA. There's no rule. The 
fail safe modes being disabled when task X dies. The 
watchdog supervisor being abysmal. The software 
architecture with the kitchen sink task and the control 
of the throttle and fail safes in the same task has not 
been rebutted. 

The lack of E-vac has not been rebutted. The 
software bugs in the -- in my software bugs chapter. I 
understand from his deposition just last month that Mr. 
Arora has not looked at those. And the operating system 
defects, the unmirrored variables, and Toyota's misuse of 
it and the nonstandard operating system has not been 
rebutted . 

I just have one more point. And that's also that, 
from what I've seen, most of Dr. Koopman ' s opinion, he 
does have one chapter. It's a large chapter, but most of 
his opinions, most of things you've heard from him have 
not been rebutted in anyway either. 

Q. All right. Let's go to the next slide. Other 
stories, we've talked about those briefly. 

Are you aware of whether Mr. Arora has actually 
taken some of these other depositions as part of his 
analysis in whether UA can occur? 
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1 A Whether Mr. Arora as reviewed other similar 

2 incidents? 

3 Q. Yes, sir. If you know. 

4 A. I don't recall. 

5 Q. Very good. We've been through it once. I don't 

6 want to belabor, but you looked at other instances, other 

7 sworn testimony of people that claim to have been 

8 involved in UA's? 

9 A. Yes. To be clear, not all of it was sworn 

10 testimony. 

11 Q. Okay. And I think that goes to the part at the 

12 bottom of the screen? 

13 A. That's correct. 

14 Q. Where were the sources of this information? 

15 A I got the information about complaints about 

16 unintended acceleration from principally three places. 

17 One is, I searched -- NHTSA has an on-line database where 

18 you can go and complain about something that happens in 

19 your car. And I searched that data base for incidents 

20 that involve descriptions of unintended acceleration and 

21 reviewed those cases and have cited to solve them in an 

22 appendix in my report. 

23 I also reviewed Toyota's internal documents and 

24 those are that a customer has a problem with a car, 

25 Toyota will maintain a file on that car. They call it a 
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1 field technical report, FTR. I reviewed documents that 

2 Toyota's produced that relate to those. 

3 And then finally also, I reviewed claims like St. 

4 John, Mr. Van Alfen. 

5 Q. Did that include other depositions and sworn 

6 testimony? 

7 A. Yes. With respect to the claims, it's generally 

8 sworn deposition and testimony. 

9 Q. Let me hand you a report that is St. John. 

10 MR. BIBB: We renew our objection. 

11 THE COURT: Okay. 

12 MR. BIBB: Do I need to object to each and 

13 every one of those. There are certain facts that need to 

14 be brought out. I can cross-examine him now and talk 

15 about it all when we come back tomorrow. 

16 THE COURT: No. Unless you've got something 

17 that you didn't raise when we made our record outside the 

18 presence of the jury you need to raise it now, because I 

19 obviously won't have ruled on that. 

20 MR. BIBB: Thank you. 

21 Q. (BY MR. CLARK) Have you found your opinions, where 

22 you start? 

23 A. Yes. I think it starts on page 75. 

24 Q. What I want to do is just have you, kind of in a 

25 great detail, but in terms of general facts, that you 
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evaluated for specific instances as part of your analysis 
in this case, I want you to tell me about those. 

MR. BIBB: We renew all the objections. 

THE COURT: Okay. And that will be so noted 

and so you don't have to do it for each and every one. 

MR. BIBB: Thank you, very much. 

THE COURT: Yes. It will be carried over for 

each one. 

Q. (BY MR. CLARK) All right. Let's start with Barris 
Ford Hill incident. 

A Yes, Mr. Barris Ford Hill reported unintended 
acceleration while driving a 2005 Camry while attempting 
to enter a parking space. The vehicle. 

MR. BIBB: Excuse me. If he's going to read it 

he needs to read the whole thing. 

THE COURT: Okay. Well, counsel, remember, I 

had ruled. I granted part of your objection, so I don't 
know . 

MR. BIBB: Okay. 

THE COURT: I mean. 

MR. BIBB: I mean you know, I take that back. 

Your Honor. I'll bring this out on cross-examination the 
distinct differences. 

THE COURT: Okay. And you still follow my 

previous ruling about the stuff that cannot come in? 
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1 MR. CLARK: Yes, ma'am. That's what I'm trying 

2 to do. 

3 THE COURT: Okay. 

4 Q. (By MR. CLARK) Go ahead. 

5 A. While attempting to enter a parking space the 

6 vehicle suddenly accelerated and caused a crash into a 

7 guardrail and wall. 

8 Q. All right. How about the Brown incident, Leigh 

9 Brown? 

10 A. Ms. Brown was driving a 2007 Camry when she 

11 experienced unintended acceleration while she was merging 

12 onto the freeway. 

13 Q. According to the information you had, did she press 

14 the brakes? 

15 A. She applied the brakes but was unable to stop the 

16 vehicle. 

17 Q. Let's go to Linda Chory. And let me back up. The 

18 Brown incident occurred August 5th, 2007? 

19 A. That's correct. 

20 Q. And Linda Chory, when did her incident occur? 

21 A. May of 2010. 

22 Q. And what vehicle was she driving? 

23 A A2007 Camry. 

24 Q. What were the general circumstances of her incident? 

25 A. The vehicle surged forward three times while stopped 
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1 after exiting an onto and off ramp causing an accident. 

2 Q. All right. How about the next page, Doris Dejoie 

3 (ph) ? When did that incident happen? 

4 A. May, 2010. 

5 Q. And what vehicle? 

6 A. It was a 2007 Camry. 

7 Q. Again, are all these vehicles that we're going to 

8 talk about ones that you have found software to be 

9 substantially similar to the 2005? 

10 A. Yes. 

11 Q. In terms of an UA event, did it have the same 

12 defects and some of the same problems that you described 

13 for us? 

14 A. With respect to the relevant details, substantially 

15 similar, yes. 

16 Q. With regard to this event in Texas, can you tell us 

17 what it was? 

18 A. She was backing out of the driveway with her foot on 

19 the brake and the vehicle accelerated suddenly and would 

20 not stop. 

21 Q. And Ezal, first name, Buled. What was date of her 

22 incident? 

23 A. It's actually a gentleman. It was February of 2007. 

24 Q. And what vehicle? 

25 A. It was a 2005 Camry. 
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1 

Q. Would you describe the facts of that? 

2 

A. While entering a parking space, the vehicle 

3 

accelerated over a curb, across the sidewalk, through two 

4 

fences and over a cliff. 

5 

Q. Did he apply the brakes? 

6 

A. He applied the brakes but was unable to stop the 

7 

vehicle . 

8 

Q. How about Elise Hazel? 

9 

A. I think it's Elsie. 

10 

Q. Elsie. When did she have an incident? 

11 

A. Sometime in 2009. I didn't note the specific date 

12 

here . 

13 

Q. And what vehicle was she driving? 

14 

A. It was a 2008 Camry. 

15 

Q. And generally, what was the incident that she 

16 

experienced? 

17 

A. While she was parking the vehicle, accelerated 

18 

forward through a window of a store. She applied the 

19 

brakes but was unable to stop the vehicle. 

20 

Q. Mr. Manfred Heinrick, what vehicle was he driving? 

21 

A. Mr. Heinrick had a 2007 Camry. 

22 

Q. Did he experience multiple incidents? 

23 

A. He did. He experienced about three different 

24 

incidents over about a five-month period. 

25 

Q. One on May 24th, 2007? 
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1 A. That's correct. That was the first one. 

2 Q. And tell me about that experience. 

3 A. He was on a highway and the cruise control got stuck 

4 at 65. And after hitting the brakes, the vehicle 

5 accelerated up to 85. He applied the brakes but was 

6 unable to stop. 

7 Q. Do you have a date here for the second incident? 

8 A. August the 12th, 2007. 

9 Q. And what did he experience the second time? 

10 A. In this case he was merging into heavy traffic at 

11 about 30 miles an hour. He stepped on the -- though he 

12 stepped on the brake with both feet, the vehicle 

13 continued to accelerate. 

14 Q. The last one was in September of 2007? 

15 A. Yes. 

16 Q. What was describe that happened? 

17 A. He was stopped at railroad crossing and the vehicle 

18 accelerated on its own. The brakes were applied but it 

19 didn't stop the vehicle. 

20 Q. The next one, James Highland from Ohio. What was 

21 the date of that incident? 

22 A. It was in May 2010. 

23 Q. What vehicle was he driving? 

24 A. A 2009 Camry. 

25 Q. Can you describe for us, generally, the incident? 
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1 A. While he was exiting the highway with a cruise 

2 control at 65, he touched the brake pedal and the car's 

3 engine immediately began to race to full throttle. He 

4 was able to stop to vehicle by shifting to neutral. 

5 Q. Anita Gorge, when was her incident? 

6 A. December of 2009. 

7 Q. And what vehicle was she driving? 

8 A. A 2005 Camry. 

9 Q. Can you tell us about her incident? 

10 A. She was slowly pulling into a parking space with her 

11 foot on the brake pedal and the vehicle suddenly surged 

12 forward. It jumped a curb in front of the parking space, 

13 hit a tree and slammed into a steel parking meter. 

14 Q. Colleen Lambert, when was her incident? 

15 A. July of 2008. 

16 Q. What was she driving? 

17 A. A2005 Camry. 

18 Q. What was her experience? 

19 A. She was going about 20 miles an hour, coasting into 

20 a parking lot when the vehicle accelerated on its own. 

21 She applied the brakes, which was seen by her brother, 

22 Jim, but was unable to stop the vehicle and collided with 

23 another vehicle. 

24 Q. Mr. Lee, when was his incident? 

25 A. Mr. Lee was June, 2010. 


THIS TRANSCRIPT IS NOT PROOFREAD 



133 


1 Q. And what vehicle was he driving? 

2 A. A 2007 Camry. 

3 Q. And what did he experience? 

4 A He was at a stop in a parking lot, and as he applied 

5 the brake, the vehicle accelerated on its own toward a 

6 vehicle in front of him. 

7 Q. Amed Master, did he multiple events? 

8 A. Yes. 

9 Q. What vehicle was he driving? 

10 A. A 2009 Camry. 

11 Q. What his first date — first event? 

12 A. March of 2010. 

13 Q. What was his experience at that time? 

14 A. While he was entering the highway, the vehicle 

15 wanted to continue to accelerate. He applied the brakes 

16 but was unable to stop the vehicle. 

17 Q. What was the second incident? 

18 A. It was two months later. May, 2010. 

19 Q. And what was the circumstances of that incident? 

20 A. The vehicle accelerated for about 10 seconds while 

21 driving at 50 miles an hour. 

22 Q. Do you know if he applied the brakes in that 

23 instance? 

24 A. Not from my notes here. 

25 Q. Cynthia Neil, when was her incident? 
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1 

A. In December of 2007. 

2 

Q. What vehicle was she driving? 

3 

A. A 2007 Camry. 

4 

Q. And what was the circumstances of her event? 

5 

A. While she was pulling into a parking the space, the 

6 

engine speed surged and the vehicle surged forward over a 

7 

snow bank and hit a guardrail and tree. She applied the 

8 

brakes but was unable to stop the vehicle. 

9 

Q. Mary Creeks Morrison, when was her incident? 

10 

A. May of 2008. 

11 

Q. And what vehicle was she driving? 

12 

A. A 2008 Camry. 

13 

Q. And what was the circumstances of her event? 

14 

A She was on a highway driving about 60 miles an hour. 

15 

while passing a vehicle and it suddenly surged to 80 

16 

miles an hour. 

17 

Q. Did brake application stop? 

18 

A. She applied the brakes but was unable to stop the 

19 

vehicle. She called 911 during the event and was told to 

20 

put the car into the park and turn it off. Doing so 

21 

stopped the vehicle. 

22 

Q. Roger Rick, when was his event? 

23 

A. September of 2010. 

24 

Q. And what was he driving? 

25 

A. A 2008 Camry. 
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1 Q. What was the circumstances of his event? 

2 A. He was coming to a stop at an intersection and the 

3 vehicle jumped forward with high engine speed. 

4 Q. Charles Sheppard, when was his event? 

5 A. I just have her spring of 2008. 

6 Q. And what vehicle? 

7 A. A 2007 Camry. 

8 Q. What were the circumstance of his event? 

9 A. He placed his foot over the brake pedal when the car 

10 accelerated and caused an accident. The Toyota 

11 representative inspected the vehicle and couldn't find 

12 anything wrong. 

13 Q. Heather Skelton, when was her event? 

14 A. June of 2010. 

15 Q. What vehicle was she driving? 

16 A A2007 Camry. 

17 Q. What were the circumstance of her event? 

18 A. She was at a complete stop and the vehicle surged 

19 ahead unexpectedly. She still had her foot on the brake 

20 when the vehicle surged. 

21 Q. Margaret Schwarzman, what vehicle was she driving? 

22 A A 2005 Camry. 

23 Q. And when was her event? 

24 A. August, 2007. 

25 Q. What were the circumstances of her event? 


THIS TRANSCRIPT IS NOT PROOFREAD 



136 


1 A While she was turning left onto a residential road 

2 near her home, the vehicle accelerated out of control, 

3 causing her to hit a curb and crash into a parked 

4 vehicle. She was unable to control or stop the vehicle 

5 by applying the brakes. 

6 Q. Paul Van Alfen, what was the date of his event? 

7 A. November, 2010. 

8 Q. What vehicle? 

9 A. A 2008 Camry. 

10 Q. Is this the one that Dr. Koopman mentioned? 

11 A. Yes. 

12 Q. Is this the one in which you mentioned? 

13 A. Yes. 

14 Q. What were the general circumstances of this event? 

15 A. Mr. Van Alfen was traveling with his wife and two 

16 passengers. And they were exiting the highway in Utah. 

17 And the vehicle maintained its speed when he did not want 

18 it to and caused a crash at the end of the ramp. 

19 Q. The last one here on your list is a Joel Wyenn. 

20 What are the circumstances -- what vehicle? 

21 A. 2005 Camry. 

22 Q. Do you have a date? 

23 A. I have May, 2006. 

24 Q. And what was the circumstances of that event? 

25 A. While slowly pulling into a parking space, the 


THIS TRANSCRIPT IS NOT PROOFREAD 



137 


1 vehicle moved forward unexpectedly, jumped the parking 

2 lot and crashed into a concrete wall. He also had a 

3 prior incident two months earlier in which the vehicle 

4 engine was racing. 

5 Q. Does -- and was this report actually written for 

6 another case? 

7 A. Yes. 

8 Q. What's the name of that? 

9 A. That's the St. John case. 

10 Q. Ida St. John? 

11 A. Yes. 

12 Q. What vehicle was she driving? 

13 A. A 2005 Camry, like this one. 

14 Q. Generally, what are the circumstances of her 

15 accident? 

16 A. The car accelerated away from the stop sign and she 

17 went through a schoolyard and hit a concrete — impacted 

18 a tree and a concrete column where the vehicle came to 

19 rest. 

20 Q. And you've reviewed and analyzed the events we've 

21 just discussed? 

22 A. Yes. 

23 Q. Based on the information that you have, is it your 

24 opinion that these cases, more likely than not, also 

25 suffered a UA as a result of the software? 
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1 A. Well, I haven't done a root cause analysis on all 

2 these cases. But what I have done is, as an engineer, 

3 working in trying to debug complex systems over the years 

4 in my career, I have found it extremely useful in terms 

5 of understanding where the defects are, what kinds of 

6 misbehaviors can occur, to review and study complaints of 

7 users who say the system isn't working right. 

8 And these incidents for which mechanical causes do 

9 not appear to be the cause, and software failure is 

10 consistent with the description of the accident, informed 

11 me, as a set, that there's a pattern and that pattern 

12 informed my analysis and source code and it informs my 

13 analysis of this specific case. 

14 Q. And have we gone over all of your cases, specific 

15 opinions in this case? 

16 A. Yes. 

17 Q. And I think you mentioned earlier, but to be sure, 

18 are those to a reasonable degree of engineering 

19 certainty? 

20 A. Yes. 

21 Q. All right. Now I want to shift gears just for a 

22 minute and ask you some questions about the work that was 

23 done by Mr. Arora. 

24 Have you reviewed his deposition in this case that 

25 was taken? 
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1 A. I have. 

2 Q. And specifically September 24th. 

3 A. Sounds about right. 

4 Q. Does Mr. Arora address some of the issues you've 

5 discussed here today? 

6 A. Yes. 

7 Q. Did Mr. Arora do any vehicle testing on track that 

8 he talked about in his deposition? 

9 A. Yes. 

10 Q. And did he perform some tests at 45 miles an hour? 

11 A. He did. 

12 Q. Do you understand that Mr. McCort has testified that 

13 he believes that from the skid marks being left, that the 

14 speed of vehicle in this case was around 40 miles an 

15 hour? 

16 A. I do . 

17 Q. Did any of Mr. Arora' s tests that you reviewed 

18 change your mind about your opinion in this case? 

19 A. No. 

20 Q. Can you describe for us, generally, the test that 

21 you performed, in terms -- and I know he did some at 

22 different speeds, but I want to focus on 45 miles an 

23 hour. 

24 A. There was a set of tests. As I understand, the 

25 vehicle was always operated at 45 miles an hour. It was 
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always a 2005 Camry. And experiments were performed with 
tasks, one at a time. And that a certain spot on the 
track where there was a cone or a marker, the brake was 
pressed with 60 pounds of force. And then the vehicle 
was stopped and there were cones placed at 50, 100, 150 
feet and every 50 feet beyond that. 

Q. And did he also run a test applying 112 pounds of 
pressure? 

A. He did. 

Q. And we're going to focus on the 60 pounds? 

A. That's correct. 

Q. Was there any specific paperwork put together that 
describe the exact distance, stopping distance, for a 
test ? 

A. If there was I couldn't find it. I got a big hard 
drive with 50 gigs of stuff. 

Q. In terms of the stopping distance of the vehicle, 
once it goes through, is the only way to determine the 
distance, is to look at the cones? 

A. Yes. That's a reasonable way to do it. 

Q At the time the brake is applied as it goes through 

and we look at these tests, what position was the 
throttle in based on your review of these cases? 

A. My understanding of the tests is that the throttle 
was not open at the time. 
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1 Q. All right. So in terms of the test, as they are 

2 headed toward the gate, the brake is applied at 60 pounds 

3 of pressure and the throttle is released? 

4 A. Yes. But that may not apply to all of the cases. 

5 But the ones that you and I focused on, certainly that's 

6 the case. 

7 Q. All right. Can you pull it for us to look at? 

8 A. Yes. 

9 Q. All right. Let's take a look at ATS-10511. 

10 Is this your starting gate? 

11 A. Yes. 

12 Q. Is that two cones there? 

13 A. At the starting gate? Yes. 

14 Q. Does that what drives through those? 

15 A Yep. That's what I see there. Yeah. 

16 Q. As you go through there, are there cones and this 

17 would be at 100 feet and this would be at 50? 

18 A. That's what I see. 

19 Q. All right. Is that the vehicle at a stop? 

20 A. Yes. 

21 Q. All right. Can you -- and to help us did we finally 

22 come to the location? 

23 A. Yes. A little zooming helps. 

24 Q. So two gates were entered, correct? 

25 A. That's right. 
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1 Q. So in terms of stopping the car with no throttle and 

2 the service brakes only at 45 miles an hour, where did 

3 the vehicle stop? 

4 A. Before 100, certainly. 

5 Q. Let's take a look at -- just so the jury is clear. 

6 All of these are at 45 miles an hour? 

7 A. They are all 45 miles an hour and with 60 pounds of 

8 braking force, which is the lesser amount of braking 

9 force that he applied in his experiments. 

10 Q. There's no throttle? 

11 A That's correct. This is 13. Can we see the 

12 enhanced photo of 13. 

13 Q. Based on your review of this test was he able to 

14 stop the vehicle with service brakes only, no throttle in 

15 less than 100 feet? 

16 A. Yes. 

17 Q. At 45 miles an hour? 

18 A. Yes. 

19 Q. Let's to go 15. 

20 MR. BAKER: We had to reboot. Your Honor. That 

21 one won't play. Your Honor, let's do 23. Can we have 

22 just a second? 

23 THE COURT: Certainly. 

24 Q. (BY MR. BAKER) If we can see the still. So again 

25 this is test 15. Addition 45 miles an hour when brakes 
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1 

are applied, no throttle, correct? 

2 

A. That is correct. 

3 

Q. This one looks like it got almost to 100 feet before 

4 

this stopped? 

5 

A. Almost to a 100. 

6 

Q. 23, Your Honor, two more. Can we see the still for 

7 

23? Again, 45 miles an hour at the time brake is 

8 

applied, no throttle, was this vehicle able to stop in 

9 

less than 100 feet? 

10 

A. Yes. 

11 

Q. The last one is 25. Is the vehicle again stopped at 

12 

less than 100 feet? 

13 

A. Yes. 

14 

Q. All right. Put up 5726, please. The jury has 

15 

already seen this in evidence, Mr. McCort ' s scene 

16 

diagram. You've seen this before? 

17 

A I have . 

18 

Q. And there has been a great deal of discussion about 

19 

the skid mark that is out there, do you understand that 

20 

the total length from beginning to the back tire where 

21 

the car rested was approximately 100 feet? 

22 

A . No . 

23 

Q. What did I say? I'm sorry, 150. 

24 

A. You said 100, 150. 

25 

Q. I need to reboot. Can we see here, we see 101 on 


THIS TRANSCRIPT IS NOT PROOFREAD 



144 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 


the pavement and then another 24 for 125 on the pavement? 
A. That is my understanding, approximately. 

Q. And assume for me there is another six feet of 
improved payment for approximately 131. 

A. Okay. 

Q. Assume that. If we assume at the beginning of this 
skid mark that Ms. Bookout is applying her service brake 
and not her accelerator, and she is going 45 miles an 
hour and her throttle's not open, based on Mr. Arora's 
test that we just saw what should have happened? 

A. I think the vehicle would have stopped. There's 101 
foot section there to the fog line, I think that the 
vehicle would have stopped in that distance. 

Q. If Toyota's correct in what they've been talking 
about in this case and there is no UA, and Ms. Bookout 
left this skid mark by her service brakes alone, she's 
not on the throttle, what does Mr. Arora's test tell you 
when she is traveling? 

A. His test, the one we showed you with the throttle 
closed, so demonstrates that if it takes 150 feet or more 
to stop, more since an impact speed of 20 miles an hour, 
the throttle must have been open. 

Q. If the throttle was not open should the vehicle have 
stopped according to Mr. Arora's test? 

A. Yes. 
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1 MR. BAKER: Move to admit all the prior 

2 exhibits including the pictures. At this time I would 

3 tender the witness. 

4 THE COURT: Mr. Bibb, do you wish to wait until 

5 the morning. 

6 MR. BIBB: I would really would. Your Honor, 

7 it's been a long day. 

8 THE COURT: It has. Ladies and gentlemen, we 

9 are going to be in recess for the day, it is 20 till 

10 five. I will see you tomorrow morning at 9:00. Do not 

11 discuss the case, do not begin to form any opinions about 

12 the case. And remember to check in the jury assembly 

13 room in the morning. 

14 Thank you very much and have a good evening. All 

15 rise when the jury is exiting. 

16 

17 

18 

19 

20 
21 
22 

23 
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1 

THE COURT: We're back on the record in 

2 

CJ-2008-7969, members of the jury are present as well as 

3 

counsel. And I assume that Ms. McAdams is still sick? 

4 

MR. BIBB: McAndrews . 

5 

THE COURT: Pardon me. Mr. Barr, if you would 

6 

please come back to the stand, sir. I'll remind you, you 

7 

are still under oath. And Mr. Bibb, you may continue or 

8 

being your cross-examination. 

9 

MR. BIBB: Thank you very much. Your Honor. 

10 

CROSS-EXAMINATION 

11 

BY MR. BIBB: 

12 

Q. Good morning, Mr. Barr. 

13 

A. Good morning. 

14 

Q. Let's begin by talking about your experience with 

15 

automotive software and unintended acceleration. Before 

16 

-- before you were hired by plaintiff's counsel to do 

17 

work on cases against Toyota, you had never done any 

18 

research into unintended acceleration, had you? 

19 

A. I had not. 

20 

Q. None of your work before getting involved in this 

21 

work against Toyota involved software design work or 

22 

analysis for automotive engine control systems, is that 

23 

correct ? 

24 

A. That's correct. 

25 

Q. And you'll agree with me that you have not seen 
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other automobile manufacturer's software source code, 
have you? 

A. That's correct . 

Q. And you have not talked with anyone who has actually 
seen other automobile manufacturer's electronic throttle 
control systems to know whether Toyota's use of global 
variables is unusual in the field, have you? 

A. I've talked with those in the automotive industry 
about software generally, but with respect to other 
manufacturer's electronic throttle control systems, I 
don't know specifically and don't have any information 
about how many global variables they use. 

Q. I think you told the jury yesterday that you spent 
countless hours working on matters involving the Toyota 
electronic throttle control system, is that correct? 

A. I do . 

Q. Do you have any estimate as to how many hours you 
put in on this? 

A. I don't. 

Q. Would it be literally hundreds of hours? 

A. Probably be thousands of hours. 

Q. Like two, three thousand hours? 

A. I don't know for sure. 

Q. And I understand that for each of those hours you 
charge $400 an hour, is that correct? 
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1 A I don't think that is correct. 

2 Q. What is correct? 

3 A. My current rate in this case is 525 an hour. 

4 Q. I didn't mean to undersell you. Has all of your 

5 work been done at $525 an hour? 

6 A. No, it hasn't. 

7 Q. Has some of it been done at $400 an hour? 

8 A. I think about that price. 

9 Q. But these countless, perhaps thousands of hours you 

10 charged between 400 and $525 an hour, would that be 

11 correct? 

12 A. That's correct. 

13 Q. All right. Now, you understand, Mr. Barr, that the 

14 reason we're all in this courtroom is we're trying to 

15 determine the cause of Ms. Bookout ' s crash on September 

16 20, 2007, do you understand that? 

17 A. Yes, I do. 

18 Q. Let's talk a little bit here about the circumstances 

19 of the crash. You understand that Mrs. Bookout and Ms. 

20 Schwarz were traveling south on Highway 69 towards 

21 Eufaula, Oklahoma, right? 

22 A. In the vicinity of, I'm not sure if they had reached 

23 Eufaula yet. 

24 Q. I just said they were going towards Eufaula? 

25 A I don't know whether it was north of Eufaula or not 
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1 but in that area, she was traveling south. 

2 Q. It's your opinion the cruise control was not on at 

3 the time of the crash, right? 

4 A. That is my understanding of the facts. 

5 Q. And you know the speed limit on Highway 6 9 was 70 

6 miles an hour, are you aware of that? 

7 A. I'm aware of that. 

8 Q. Now, you don't believe that the unintended 

9 acceleration incident that Ms. Bookout claims occurred on 

10 Highway 69, do you? 

11 A. It's my understanding that it began on the exit 

12 ramp. 

13 Q. And you understand that Ms. Bookout successfully 

14 slowed her vehicle and exited on the exit ramp for 

15 Texanna Road, correct? 

16 A. I do . 

17 Q. And you know that Ms. Bookout told us in her 

18 deposition that she applied the brake to slow the car so 

19 as to exit on Highway 69, do you understand that? 

2 0 A. I do . 

21 Q. Now, you also understand Ms. Bookout and Ms. Schwarz 

22 took the wrong exit to get to where they were going, do 

23 you understand that? 

24 A. I read that. 

25 Q. And you understand that the exit ramp there from the 
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Highway 69 to Texanna Road is fairly long, somewhere in 


2 the neighborhood of a thousand feet or more? 

3 A. That is about the distance I understand. 

4 Q. It's your belief that the alleged unintended 

5 acceleration incident began somewhere on the exit ramp, 

6 correct? 

7 A. That's my understanding. 

8 Q. It occurred somewhere before the tire mark that is 

9 at about 150 feet from the point of rest, correct? 

10 A. I would agree with that. 

11 Q. Now, you don't know what the exact speed of the 

12 vehicle was when the malfunction allegedly began, do you? 

13 A. I don't. 

14 Q. And you don't know precisely the throttling at the 

15 time the malfunction allegedly began, correct? 

16 A. That's correct. 

17 Q. Now, in your deposition did you not tell us that it 

18 was very likely that the throttling was significantly 

19 less than halfway open when the vehicle began to 

20 malfunction? 

21 A. That's correct. 

22 Q. All right. Now, we don't -- in your deposition you 

23 said that you didn't have sufficient information to 

24 determine whether Ms. Bookout ' s foot was on the gas pedal 

25 or brake pedal or neither pedal when the alleged 
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1 unintended acceleration began, is that correct? 

2 A That's correct, the precise timing, we don't know. 

3 Q. Well, let's take a look at those three possibilities 

4 that we've got. And Mr. Barr, if you can't see this, let 

5 you me know, okay? So we've got one and I'm just going 

6 to put gas pedal, that her right foot was on the gas 

7 pedal, do you agree with me, that's one option? 

8 A. That is one of the possibilities for when the 

9 unintended acceleration or software malfunction began. 

10 Q. Based on all the vehicle testing that either 

11 Mr. Louden did with you and Mr. Arora's vehicle testing, 

12 when Ms. Bookout stepped on the brake pedal, the distance 

13 from the gas pedal to the brake pedal, when she does that 

14 we get brake echo check as soon as she held the brake 

15 pedal down for longer than 2/10ths of a second, right? 

16 A. In the limited testing that's been done within the 

17 essentially infinite space of vehicle and software 

18 states, it is true in that limited testing the brake echo 

19 check has stepped in if her foot was on the gas pedal and 

20 then she transitioned to the brake pedal. However, that 

21 doesn't rule out that the brake echo would not act for a 

22 number of reasons. 

23 Q. In all the tests, it can be limited or extensive, 

24 we'll talk about the testing later. Every time you go 

25 from the gas pedal to the brake pedal in a 2005 Camry 
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1 

like Ms. Bookout's, what happens then is you get a BN] 

2 

degree throttle, correct? 

3 

A. The first effect of the brake echo failsafe, if it 

4 

acts, is to cut the throttle to degrees or about. 

5 

between five and 10 percent. 

6 

Q. So if Ms. Bookout had her foot on the gas pedal and 

7 

allegedly the task died, and puts her foot on the brake 

8 

pedal, the throttle would go to degrees based on the 

9 

testing that we've done and the way the software is 

10 

written for Toyota and that would be the condition of the 

11 

throttle, correct? 

12 

A. It would. 

13 

Q. Now let's go to number two, and that's — she has 

14 

got her foot on the brake pedal. Okay. Now if she has 

15 

got her right foot on the brake pedal, she doesn't have 

16 

her foot on the gas pedal, right? 

17 

A. That's correct. 

18 

Q. So we've got no gas pedal. And if we don't have our 

19 

foot on the gas pedal, then the throttle would be at 

20 

idle, correct? 

21 

A. I don't think we know that with certainty. 

22 

Q. If the car's operating properly, the throttle would 

23 

be at idle, correct? 

24 

A. It takes some time to return to idle and we wouldn't 

25 

know precisely when the software malfunction began and so 
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we can't say that with certainty. 

Q. Well, let me ask -- while they get the throttle body 
out. You'll agree with me when you say it takes some 
time, the springs on the throttle body, actually when the 
motor is — is giving instructions to no longer keep it 
open, the springs will close this plate in the throttle 
body, right? 

A. What you said is true, but that's not what happens 
when someone takes their foot off the accelerator pedal. 
Q. What actually happens is -- you've got a lot of mass 
in that engine, right? The rpms will slowly come down 
but the throttle itself will close within a second when 
the pedal is released and it's in the idle position? 

A. When the pedal is released, software will drive the 
throttle closed, if it's working properly like the hot 
water valve that I talked about. But that's different 
than what you're talking about with the degree spring 

return. That is a mechanical return that happens in that 
failsafe, but would not happen here. 

Q. A mechanical return on that throttle like I showed 
to the jury, but that happens irrespective of the 
software, I mean, that is a mechanical system separate 
and apart from the software? 

A. It will only happen if the software stops 
controlling the throttle. 
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1 Q. Let's assume she's got her foot on the gas -- on the 

2 brake pedal, she's got no gas pedal, assume your car is 

3 running right so you're at idle, and then your task dies 

4 while she has got her foot on the brake pedal, right? In 

5 none of the testing that's been done has the throttle 

6 ever opened unless you had the cruise control on, right? 

7 A. That's correct, but that is because that's a test 

8 that's not been performed. 

9 Q. Well, we saw -- talked about that cruise control 

10 test that you showed the jury yesterday on the slides, 

11 because the throttle does open because it's trying to get 

12 up to the set speed, do you remember that one? 

13 A. Yes. 

14 Q. If we have a task death and the gas pedal is at 

15 idle, like everything is working right on this car like 

16 it had every day for the two years she owned the car, 

17 then it's going to stick the throttle at idle when the 

18 task dies, right? 

19 A Again, sir, the time matters down to the millisecond 

20 level, in that scenario maybe less than a millisecond, 

21 and so it matters when the task dies relative to when she 

22 lets her foot off the gas pedal. The idle return you're 

23 talking about requires software control and if the task 

24 dies in between when she is releases her pedal, but 

25 before it goes to idle it could continue to be open wider 
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1 than idle. 

2 Q. You don't know what the throttle position was 

3 though, correct? 

4 A. That's correct. 

5 Q. If she is coming down that ramp riding the brakes 

6 slowing down because she knows she's got a stop sign at 

7 the foot of the ramp, let's assume she has been on the 

8 brake for two or three seconds, the engine is going to be 

9 at idle, right? 

10 A. If she's been on the brake for two or three seconds 

11 then that hypothetical I would agree it would likely be 

12 at idle. 

13 Q. And when you're applying the brake pedal and your 

14 engine's at idle, it's no different than pulling up to 

15 the stop sign or a red light here at Park and Harvey in 

16 front of the courthouse, isn't it? Because that is the 

17 way you normally pull up to a stop, right? 

18 A. That's correct. 

19 Q. And so the brakes are going to stop the car even if 

20 the task is dead and you're on -- and it freezes the 

21 throttle at idle, right? The brake's going to stop that 

22 car, right? 

23 A. That's correct. 

24 Q. Now I've got the third option. And that's no gas, 

25 no braking. Okay. Now, under this circumstance she 
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1 doesn't have her foot pressing on either pedal. Then if 

2 she goes off of the gas for two or three seconds, she's 

3 clearly going to be at idling, right, do you agree with 

4 that? 

5 A. That's correct. If she has been off for several 

6 seconds . 

7 Q. And whatever happens, if this mysterious task X 

8 dies, then again, you'd be at idle, when it dies and the 

9 throttle would be stuck at idle. And when she puts the 

10 brake on, she transitioned the brake switch to go to a 

11 failsafes, right, on every test that you've seen run, 

12 isn't that correct? 

13 A. If the only memory corruption affect was to kill 

14 task X and in the limited testing that it's not 100 

15 percent definitive for a number of reasons we can get 

16 into if you want to look at my report, what you say 

17 hypothetically would occur. 

18 Q. Now, so these are the situations that we've got with 

19 this car coming down off that exit ramp, either as soon 

20 as she steps on the gas pedal, what you call limited 

21 testing, essentially all of the testing shows a failsafe, 

22 she's on the brake pedal, not on the gas pedal, she's at 

23 idle, she stops the car. She's not on the gas and not on 

24 the brake, it's idle, goes into failsafe when she steps 

25 on the brake pedal and she would stop the car then too. 
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wouldn't she because it would be idle? 

A. In those hypothetical scenarios, which are not 
consistent with my understanding of this accident, that's 
what would happen. 

Q. You know that Ms. Bookout said that she had her foot 
on the brake and that she pumps the brake, you are aware 
of that? 

A. I am aware of that. I believe she said six or seven 
times . 

Q. And she even said she removed her foot from the 
pedal during that pumping, you're aware of that? 

A. I don't remember her precise words with respect to 
that . 

Q. Have you read Ms. Bookout ' s deposition? 

A. I have. 

Q. Do you recall her saying on page 35 at the end of 
that page -- could we see that, Mr. Doyle? There about 
page 35, line 24. Again, this was Mr. Jennings asking 
the questions. "Do you remember pumping the brake? You 
mean applying the brake and then taking your foot off of 
it and applying it again?" And her answer was "yeah." 

Now if she takes her foot off the brake and applies 
it again, in that situation the brake echo check would 
operate as long as she took her foot off the brake for 
more than two — two hundreds of a thousandths of a 
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second, 2/10ths of a second, she would transition that 
brake switch and as a result the brake echo check would 
come in and would shift to failsafe, isn't that true? 

A. If during the pumping her foot came fully off the 
brake pedal, and not 100 reliably, that the brake echo 
acted, then the failsafe of cutting the throttle would 
have kicked in. However, pumping can occur -- and I 
don't think this answer is clear from a technical point 
of view, pumping can occur, as I mentioned yesterday, 
without full removal of the foot. When most people pump, 
more than half of the people pump in one study that I've 
reviewed, they don't, they never get it completely off 
there . 

Q. We're going to talk about that, that is the Cooper 
study? 

A. That's what I'm referring to. 

Q. You told us yesterday that you've written some 
reports on Toyota unintended acceleration, right? 

A. Correct. 

Q. One of the reports you issued was in September, 
September 17, 2012, do you recall that? It would be your 
rebuttal report? 

A. I do . 

Q. And you described the testing -- you described this 
vehicle testing that you're talking about today as 
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1 limited. The vehicle testing performed by plaintiff's 

2 experts using a testable version of Toyota's ECM, that is 

3 the engine control module software, was necessary to 

4 scientifically confirm our discovery of a single point 

5 failure. So this testing scientifically confirmed these 

6 findings, isn't that right? 

7 A. The testing that was performed confirmed that the 

8 Toyota failsafes have gaps and that there are single 

9 points of failures and unintended acceleration can occur 

10 while no failsafe acts, and they can also confirmed that 

11 sometimes there's a failsafe that will act after the 

12 driver, after the UA has already occurred. 

13 Q. But the one thing that the scientific testing that 

14 you did was confirmed every time, in every one of the 

15 tests of the vehicle that you ran that when the brake 

16 switch was transitioned, it triggered a failsafe, 

17 correct? 

18 A. In the limited testing that was performed in much 

19 larger test space, all the tests eventually if the driver 

20 transitioned the brake switch, that is the unintended 

21 acceleration already occurred, the software malfunction 

22 already occurred, then when the driver acted, sometimes 

23 counterintuitively, by removing their foot from the 

24 brake, then there was a failsafe that a source code shows 

25 is not reliable 100 percent of the time. But in the 
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1 limited testing it did act every time. 

2 Q. It did act 100 percent of the time when tested on a 

3 real vehicle, didn't it? 

4 A. It will not act 100 percent of the time in real 

5 vehicles across a larger test scenario such has a billion 

6 driver hours . 

7 Q. Have you ever in any test seen a failsafe not 

8 activate in a vehicle test? 

9 A. In a vehicle test, that has not been shown. 

10 However, that's not how you prove a negative hypothetical 

11 in science. 

12 Q. Now, you know after the crash the car has inspected 

13 by at least a dozen engineers and scientists, you're 

14 aware of that? 

15 A. I hadn't counted them, but I was aware there were 

16 several inspections of the Bookout vehicle. 

17 Q. And you're aware that among other things the 

18 accelerator pedal was removed from the vehicle and 

19 tested? 

20 A. I understand that no problems were found with the 

21 accelerator pedal. 

22 Q. And the brake switch was removed from the vehicle 

23 and tested, are you aware of that? 

2 4 A . I am . 

25 Q. And you're aware of that brake switch was found to 
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1 be operating normally, correct? 

2 A. I do. 

3 Q. So now, when we took your deposition you told us 

4 that you had not ruled out pedal misapplication as the 

5 cause of Ms. Bookout ' s crash, had you? 

6 A. At that time of my deposition in early August, that 

7 was correct . 

8 Q. And in fact, this accident can be explained by 

9 simple pedal misapplication, can it not? 

10 A. No, it cannot. 

11 Q. So by a combination of applying the gas pedal and 

12 applying the brake pedal at different times, coming down 

13 that ramp, you don't think you can reproduce this crash? 

14 A. That's correct. 

15 Q. Have you been to the scene? 

16 A. I have not been to the scene. 

17 Q. Have you seen the car? 

18 A. I have not -- I have not seen the car in person. 

19 Q. Have you tried to do any testing yourself of a 

20 vehicle to see if you can apply the gas pedal and then 

21 apply the brake pedal and have this accident occur? 

22 A. I have not. That's not my role here. 

23 Q. Now, you are aware, are you not, from looking at 

24 some of the research that you've done that there was this 

25 incident in Santa Monica, California where a gentleman 
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1 drove by the farmers market, correct? 

2 A. I'm familiar with that incident. 

3 Q. And that incident covered over 750 feet, did it not? 

4 A. I don't know the precise distance. 

5 Q. And it lasted for more than a few seconds, correct? 

6 A. That's correct. 

7 Q. And then you're aware in the Cooper study that you 

8 just mentioned to me that there was one driver in that 

9 study that froze up and plowed through the cone barrier 

10 at the end, correct? 

11 A. I am aware of that. 

12 Q. And you're aware in one of the tests where they were 

13 having people pump the brakes, one of the subjects pumped 

14 the accelerator pedal, you're aware of that too, are you 

15 not? 

16 A. I am aware of that. 

17 Q. And so it is -- you just can't rule out that Ms. 

18 Bookout might have pressed the accelerator pedal when she 

19 meant to press the brake, can you? 

20 A. Yes, I can. 

21 Q. And of course, if she did do, that when she finally 

22 got on the brake, even if there was a task death, the 

23 limited testing or the scientific testing that you 

24 mentioned would put it into failsafe, correct? 

25 A. Yes. And then she would not have skidded for over 
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1 100 feet -- 150 feet. 

2 Q. Well, if you put on the brakes you can press them 

3 hard enough to cause the brakes to skid, can you not? 

4 A. I'm sorry, sir. 

5 Q. Let me rephrase that. You can, whether you apply 

6 the parking brake or service brakes or both at the same 

7 time, can get tire marks from this vehicle, correct? 

8 You've seen that in some of the testing, have you not? 

9 A. I'm sorry, I still don't understand the question. 

10 Q. Never mind. I'll move on. Let me ask you about the 

11 vehicle testing, and we're going to look at one of those 

12 slides you showed in a few minutes. The vehicle testing 

13 that was done by Mr. Louden, in order to run those tests 

14 he ran that vehicle not on the road like we saw with Mr. 

15 Arora's test, he ran that vehicle on a chassis 

16 dynamometer, correct? 

17 A. That's correct, we felt that was safer. 

18 Q. And the chassis dynamometer has big rollers to allow 

19 the vehicle to simulate by rolling its tires against 

20 these rollers, simulate being on a road, correct? 

21 A. That's correct. 

22 Q. All right. But this is a no load dynamometer, 

23 correct? 

24 A. I believe so. 

25 Q. And so the vehicle is kind of free to spin against 
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1 those, even when the throttle is cut. It would take 

2 longer for the vehicle to slow down than it would if it 

3 was out on the highway, right? 

4 A. That's correct, as I mentioned yesterday. 

5 Q. Now, to cause task death in the tests that Mr. 

6 Louden performed, you had to modify the software source 

7 code, isn't that right? 

8 A. That's correct, with Toyota's help. 

9 Q. And when you modified the source code that allowed 

10 you to do fault injection testing, correct? 

11 A. That's correct. 

12 Q. And in other words, Mr. Louden would use a computer 

13 to inject faults to cause the task to die, is that right? 

14 A. That's correct. 

15 Q. I mean, these tasks did not die on their own, did 

16 they? 

17 A. We were conducting testing and we wanted to see what 

18 happened when tasks died, so we killed them at a time of 

19 our choosing so that we could observe the outcome. 

20 Q. In order to kill the tasks, you had to do it by 

21 reprogramming the engine software so that as to prevent 

22 certain portions of the software source code from 

23 running, so that allowed you to then stick the throttle, 

24 correct, by killing the task? 

25 A. That's inaccurate, sir. 
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1 Q. In other words, you did have to remove parts of the 

2 source code, did you not? 

3 A. No, we did not. 

4 Q. But had you ever achieved task death in a Toyota 

5 engine control system without killing it? 

6 A. All the testing that we did was under the conditions 

7 of the injecting a fault and observing the results. 

8 Q. Never had one just die a natural death, have you? 

9 A. That's not something we were standing around looking 

10 for, sir. 

11 Q. The answer to that is no, you never had one just 

12 die, you had to kill it? 

13 A. Not that we know of it, sir. It might have died and 

14 we wouldn't know it necessarily. 

15 Q. Fair enough. You don't know of any tasks that have 

16 just died on their own, do you? 

17 A. I do not, in the testing. 

18 Q. Now at the end -- at the end of your testimony 

19 yesterday we looked at some of Mr. Arora's tests, do you 

20 remember those? 

21 A. Yes, the videos. 

22 Q. And you know from -- you've read his deposition, 

23 correct, taken back in August or September? 

24 A. I've read several of Mr. Arora's depositions. I'm 

25 not sure which one you're referring to. 
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1 Q. The one in this case, I think you might have been 

2 asked about some of the testing that he did that we saw 

3 yesterday, do you remember that? 

4 A. Yes. 

5 Q. And you know that the purpose of Mr. Arora's testing 

6 was to see whether killing any task or combination of 

7 tasks resulted in longer braking distances, you 

8 understood that was the point of his testing? 

9 A. That's correct. 

10 Q. And in fact none of the braking distances were 

11 longer than expected because of task death, correct? It 

12 didn't make the car take longer to stop, did it? 

13 A. Not that I was aware of, no. 

14 Q. And you're also aware from Mr. McCort ' s testimony 

15 that if Ms. Bookout was applying the service brakes to 

16 cause that tire mark that we see, and the cops had talked 

17 about in the case, rather than the parking brake -- and 

18 let me back up for just a second. The test we saw with 

19 Mr. Arora, he was applying the service brake, correct? 

20 A. My understanding is he was applying the service 

21 brakes only, not the parking brake, and he was applying 

22 that at 60 pounds of force. 

23 Q. And the service brakes, those are the brakes that 

24 are operated by the brake pedal down underneath the 

25 dashboard, right? 
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A. That's right. What you think of as the brakes. 

Q. And so Mr. McCort, if you recall, maybe you read his 
testimony, maybe the jury will recall, that if you were 
going to cause that skid mark that the police officers 
have told us about out there on the exit ramp at Texanna 
Road with the service brakes as opposed to the parking 
brake, the car would have had to have been going 60 or 65 
miles an hour, do you recall that? 

A. With respect to Mr. McCort testimony, I don't 
remember that specifically. But it's my understanding of 
Mr. McCort ' s testimony that it's his opinion that the 
parking brake was pulled. It's my understanding also of 
the police officer's testimony and other eyewitness 
testimony that the parking brake was pulled and involved 
in those skid marks . 

Q. The jury will recall what the officer's testimony 
was, Mr. Barr. But the long and short of it, none of Mr. 
Arora's tests were run with the parking brake being 
appear applied to slow or stop the vehicle, were they? 

A. They were not. My understanding would be that if 
you added the parking brake to the service brake, the 
stopping distance would have been even shorter. 

Q. Now, Mr. Barr, I know you explained to the jury 
yesterday, but at your first try at artificially 
producing task death you made some errors, did you not? 


THIS TRANSCRIPT IS NOT PROOFREAD 



26 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 


A. I believe I made one error, sir. 

Q. And when you wrote your original report you didn't 
know that a brake echo would cut the throttle to 
failsafe, did you? 

A. At the time of my July 2004 report in the Van Alfen 
case I was not aware of that. 

Q. And I understand and you explained you had limited 
time to review that monitor CPU source code prior to 
issuing your July 17 or July 18 2012 report, is that 
right ? 

A. That's right, this was the source code that was 
proceeded just a few weeks before. 

Q. Now, you did have a chance to review it, and in 
fact, did you not remove about 20 percent of that source 
code to make it -- to facilitate your review of it? 

A. The error that I made was based on not having the 
tool that's used to compile that, the assembler that I 
spoke of yesterday, and not having that assembler, it was 
my understanding that about 20 percent that of code 
belonged to another chip called the Sigma 2, and that the 
80 percent that I reviewed as in the ESP-B2 . 

I later learned that the situation was flipped and 
that I should have looked at that 20 percent of the code 
as well in my analysis, which I did in my supplemental 
report which I filed in that case and the judge accepted. 
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Q. Well, you filed a rebuttal report two months later 
on September 17, 2012, did you not? 

A. I did not, but I was not aware at that time. 

Q. And you had additional on two months to work with 
this source code and you made the same error in that 
report, did you not? 

A. I don't think that was — I was still not provided 
the tool that would have changed my mind another any 
other evidence. 

Q. So you made the same mistake two months later after 
you had two more months to work on this, as you made on 
July 17, right? 

A. I'm not sure how active I was is in Toyota work 
during that time. I don't recall. 

Q. But you didn't correct the error that you stated in 
your July report even two months later in your September 
report, did you? 

A. As I stated earlier, as soon as I became aware of 
it, within ten days, I studied the extra 20 percent of 
the code, I wrote a supplemental report. The report I'm 
using in this case, the Saint John case, incorporates 
that analysis, that full analysis. 

Q. Your theory has kind of changed over time because 
you had one theory, and then you discovered that it was 
not accurate so you had to do something else, haven't 


THIS TRANSCRIPT IS NOT PROOFREAD 



28 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 


you? 

A. I don't believe that is accurate, sir. 

Q. But you'll agree with me that your initial theory 
was that that monitor CPU would not cut the throttle, 
right, when it detected a brake change? 

A That was an element of my understanding of the 
failsafe misbehavior, but my theory was then and remains 
that tasks can die, that as a by-product of tasks dying, 
unintended acceleration can occur and not all of those 
unintended accelerations will be caught before there is 
harm to the drivers, passengers and pedestrians. 

Q. And you didn't learn of the mistake that you had 
made until you learned about it from Mr. Arora, did you? 
A. That's correct. You said September 17th, I don't 
remember the date, when I issued my rebuttal report to 
his, he issued his rebuttal report to mine and it was at 
the time that I learned that I needed to look at the 
additional 20 percent of the code. 

Q. Each side had to submit their expert reports written 
in the same day, is that correct? 

A. That's correct. That's how this works. I pointed 
out errors in Mr. Arora 's analysis at the same time. 

Q. And you had to go back and kind of retract the 
statement that this brake echo would not shut down the 
throttle motor, correct? 
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1 A. That's correct, but it didn't change my ultimate 

2 conclusion in that case, and it's not relevant here to 

3 this case. 

4 Q. Now, in addition to setting this failsafe, if this 

5 fault persists for more than, what is it, three seconds 

6 or so, the vehicle will stall out, correct? 

7 A. That's correct. The brake echo check, if it's 

8 responding to task X death, will first, after that 

9 2/10ths of a second, will cut the power to the throttle 

10 and then three seconds later, it could be slightly 

11 longer, three and a half seconds, but approximately three 

12 seconds later it will stall the engine. 

13 Q. Ms. Bookout ' s vehicle didn't stall in this accident 

14 did it? 

15 A. That's correct. 

16 Q. We can all degree on that. And we can also all 

17 agree that this transition of the brake switch it has to 

18 occur for 2/10ths of a second, correct? 

19 A. That's correct. And it will not be reliable. It 

20 may not work every time -- 

21 Q. I'm sorry, I apologize. The 2/10ths of a second, 

22 that's as fast as a blink of an eye, isn't it? 

23 A. That's accurate. 

24 Q. Now, you have not reproduced in vehicle testing your 

25 theory that there's a software bug that opens the 
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1 

throttle and then the task dies, have you? 

2 

A . No . 

3 

Q. And you have not reproduced in vehicle testing your 

4 

theory where there's task death and then the throttle is 

5 

opened farther by a software bug or corruption, correct? 

6 

A. Right. So the second corruption that I talked about 

7 

yesterday has not been demonstrated in a vehicle. We've 

8 

not attempted to. 

9 

Q. All right. Now, do you know how big the throttle 

10 

angle would have to be for the vacuum to the power assist 

11 

not be replenished when the brakes are pumped? 

12 

A. I've seen various percentages for the throttle angle 

13 

of which the vacuum brake -- vacuum assist to the brake 

14 

doesn't replenish. NASA quoted around 30 percent, other 

15 

experts have said -- NASA said 30 degrees, which is about 

16 

a third of the way open; other experts have said smaller 

17 

amounts, bigger amounts. I don't know the precise 

18 

number, and in fact vary by vehicle. 

19 

Q. And you know Mr. Hannamann who's back here, he's 

20 

done a little testing on that to try to evaluate that. 

21 

correct ? 

22 

A. I understand that. 

23 

Q. But you know that all the testing of Mr. Hannamann 

24 

or NASA or the engineers that Toyota has retained in the 

25 

case, the vacuum is always replenished if you're HHj 
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1 degrees, correct? 

2 A. I don't know that I've reviewed all that data to say 

3 always, but certainly data that I've seen is consistent 

4 with that . 

5 Q. And the data that you've seen would certainly 

6 indicate you would not lose vacuum assist if your 

7 throttle is at degrees, correct? 

8 A. My understanding is that's extremely unlikely. 

9 Q. Let me talk to you for just a moment about these 

10 MISRA violations that you talked about yesterday. The 

11 first version of MISRA was put out in 1998, correct? 

12 A. Yes, I believe it was March or April. 

13 Q. Now, you understand from Mr. Ishii's testimony that 

14 Toyota's coding standard started being developed starting 

15 in 1994, you're aware of that? 

16 A. I don't remember the year he stated. I believe he 

17 stated the 1990s. But it was updated during the time 

18 frame that this vehicle was designed. In fact, I 

19 reviewed the 2002 version which my understanding would be 

20 the version -- even though they weren't enforcing it, 

21 they were updating it every year or two. 

22 Q. And Toyota's standards were established in 1997, you 

23 understand that? 

24 A. You said 1994 earlier -- 

25 Q. That's when they started being developed. They were 
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then established by '97? 

A. That's the number that sounds right, the date that 
sounds right to me. 

Q. And when Toyota issued its coding standards there 
weren't any MISRA standards, were there? 

A. If they issued them in 1997, that would be true. 

Q. Now, MISRA was updated in 2004 to improve from the 

1998 version, right? 

A By and large the rules are the same. Some rules 
that had previously been recommended became required. 

And there was a rearrangement, the chapters were 
rearranged and the rule numbering system was rearranged a 
bit. By and large they are the same rules. 

Q. Now the Camry that Ms. Bookout was driving was a 
2005 model year vehicle, right? 

A. That's correct . 

Q. And you mentioned just a couple of moments ago that 
this was introduced as a new model in the 2002 model 
year, is that right? 

A . No . 

Q. This car was not -- this series Camry was not 
introduced as a 2002, and then updated year after year 
through I think about 2006, right? 

A. Okay. I misunderstood your question. You're 
referring to the electronic throttle control use in the 
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Camry began in 2002. 

Q. 2002 was the first year for the Camry. And since it 
was a 2002 model year vehicle, it wouldn't surprise you 
that the car actually went on sale some time during 
calendar year 2001, right? 

A. That's correct. 

Q. And you're familiar I assume in some of the work 
that you've done, that it generally takes three or four 
years to develop a new car, are you aware of that? 

A. Yes, I am. 

Q. So if we go back to 2001, we're looking at 1997 or 
1998 when the development work to begin on this Camry 
with the electronic throttle control system, correct? 

A. I think that is fair to say, but I would just point 
out that the actual development of the software is one of 
the later things that would be done in the three to four 
year process. 

Q. So when the development of this vehicle began in 
'97, the MISRA standard weren't even in effect, were 
they? 

A. Not for the vehicle we're talking about here. 

That's the 2005 Camry, you're talking about the 2002 
Camry . 

Q. And they went from year to year with the software 
being developed and adjusted and modified each year, is 
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1 that right? 

2 A. They did, in a very sloppy way. But in the 2005 

3 model year, I believe it was, they redesigned the 

4 electronics. Went from two processors to one processor, 

5 switched from the ITron operating system to the OSEK 

6 operating system, and the updated their coding standard, 

7 and they designed a new monitor CPU. So given that level 

8 of effort, they certainly in around 2002-2003 time frame 

9 when they were doing these things for the 2005 Camry 

10 model, could have adopted at least the 1998 MISRA system. 

11 Q. Thank you, Mr. Barr. Now, Mr. Barr, I want to talk 

12 to you and talk now to the jury about just some of your 

13 slides, we're not going to go through all the slides. 

14 We'll talk about some of the slides with you, all right, 

15 and the first one is slide number three. This was when 

16 you had the book up here and I really want to focus on 

17 this third one here. I don't know if the jury can read 

18 it there. But this book that you published, it has 

19 Michael Barr's coding standard in it, doesn't it? 

20 A. It's the Barr Group's coding standard. 

21 Q. Right and that's different from the MISRA coding 

22 standard? 

23 A There is considerable overlap between the two, 

24 that's correct. 

25 Q. But it's different from the Toyota coding standard? 
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A. It is, and it's aimed at a slightly different set of 
imbedded systems developers than MISRA is aimed at. 

Q. I know you're critical of Toyota creating their own 
coding standards, but the Barr coding standard is another 
coding standard out there, right? 

A. It is. 

Q. And if you compare to the Barr coding standard to 
the MISRA coding standard, you have violations in the 
Barr coding standard that didn't match up with MISRA' s 
coding standard, right? 

A. First of all, I would say there's considerably more 
overlap between the imbedded C coding standard book and 
MISRA. And second of all, someone who followed that 
coding standard would not violate those MISRA rules. 

And this book is really not aimed specifically at 
safety critical systems developers. It's trying to take 
some of the lessons learned in safety critical and in 
MISRA and bring them down to things like this Nike fuel 
ban. In fact, I've been in touch with engineers who work 
there who are adopting this coding standard. And they 
don't need to design a safety critical system but they 
still want to maintain good software and they want to 
keep bugs out because if they have a million of these in 
the field and there's a bug, then they have to get 
everybody to update their software or do a recall, or 
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1 their reputation suffers. So that's what this book is 

2 trying to do. And actually in it says, look at the MISRA 

3 rules, those are smart people, they came up with good 

4 rules and you should follow as many of them as possible. 

5 And this book augments that by adding some additional 

6 stylistic rules to make it easier for programmers to 

7 understand their own code later when they review it and 

8 also the code of other developers. 

9 Q. I think the question was, if you ran a MISRA checker 

10 on code written to Barr standard, you'd end up with a 

11 violations of the MISRA code, correct? 

12 A. Possibly for the rules that are not overlapping. 

13 Q. Now, did you tell us yesterday that there's always 

14 going to be some bugs in software, right? 

15 A. Yep. 

16 Q. So on the cover of your book, though, you put up 

17 here "zero bugs". That is not true, is it? 

18 A. If you read what that means in the book, it says 

19 zero bugs is not achievable but you should structure your 

20 software process, your software architecture, your coding 

21 standard and your company safety culture for the purpose, 

22 the aim of trying to get there. 

23 Q. Right. But you'll never get to zero bugs, will you? 

24 A. That's correct. And that's not what that implies. 

25 Q. All right. I won't judge a book by its cover. 
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Now, let's go to slide number six. And this was an 
example of writing software that you gave us yesterday, 
okay? Now, here, to make sure I understand it, the way 
it's read here you've got two numbers, two values, right? 
A. That's correct . 

Q. An A value and a B value. And the way this reads if 
A is bigger than B, like it's 10 and 4, and then you use 
the larger, right? 

A. That's correct . 

Q. If it's A is four and B is 10, then you'd use B? 

A. That's correct. 

Q. Use the larger value always, right? 

A. That's correct . 

Q. Now, if A is 10 and B is 10, this doesn't tell us 
what to do, it's going to use B, isn't it? 

A. No -- well, t's going to use B, but that's going to 
be the right answer because whichever one you return in 
that case -- 

Q. It's not a larger value than A? 

A. Well, the name of the function was chosen to explain 
the recipe. 

Q. Make sure I understand, 10 is not larger than 10, is 
it? 

A Another name for the function could have been chosen 
to emphasize that. 
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1 Q. I mean, this is a bug, isn't it? 

2 A. No, it's not. 

3 Q. Not a bug. Doesn't function the right way, though, 

4 does it? 

5 A. It doesn't function according to the way I named the 

6 function, but real software would have a specification 

7 that said what was supposed to happen when they were 

8 equal. When I put together this slide, I certainly 

9 thought about the fact that they could be equal and what 

10 to do. And I thought, well, I only have view lines of 

11 PowerPoint and I'm explaining it to a lay audience, and 

12 so I didn't include a specific representation. But I 

13 would not describe that as a bug, sir. 

14 Q. Not a bug. Not a bug. Let's go then to slide 

15 number 7. And yesterday you were talking about the 

16 throttle being like a shower that you turn on, do you 

17 remember that? 

18 A. Yes. 

19 Q. Do you think that is an apt analogy? 

20 A. It's referring actually to the hot water. 

21 Q. And because the throttle isn't like a shower, is it, 

22 because the shower you turn on and let go and take your 

23 shower and then turn it off. The throttle you'd have to 

24 turn that handle and then hold it open to keep the water 

25 coming, wouldn't you? 
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1 A. That's correct. In the throttle in the car you have 

2 to keep holding it open, because if you don't keep 

3 holding it open electrically, then it has a mechanical 

4 spring that will return it back to closed. But as long 

5 as the software is controlling it, to be clear, it will 

6 act just like you letting it — set it and forget it. 

7 Q. What we know is when the check -- the brake echo 

8 check kills power to the throttle motor, the throttle 

9 closes, right? 

10 A. That's correct. If the software, whether it's 

11 functioning properly or not, stops controlling that, then 

12 the mechanical turn spring will take over. 

13 Q. You also showed us a photograph of an engine control 

14 module, correct? 

15 A. Correct. 

16 Q. This is a 2008 Camry, is it not? 

17 A The one I showed is a 2008. 

18 Q. Is this a 2005 here, do you recognize that? 

19 A. Yes. 

20 Q. Okay. Now, you talk about the hostile environment 

21 that the system has to operate under. Do you know where 

22 the 2005 electronic control module in located in the 

23 Camry? 

24 A. I believe the 2005 is under the dash. 

25 Q. It's inside the passenger compartment, isn't it? 
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A. That's correct . 

Q. It ' s in front of the glove compartment, correct? 

A. That's a good description. 

Q. Now, look at slide 10. You talk a lot about -- I'm 
not going to try to go over lengthy -- but you talk some 
about the NASA report, do you remember that? 

A. Yep. 

Q. And you've got a quote here on this slide from the 
NASA report, right? 

A. Yes, I do. 

Q. Now, you gave a lot of quotes from that NASA report, 
but the conclusion that NASA reached, could I see page 17 
of the NASA report in executive summary? The last 
paragraph there, Mr. Doyle. You quoted first sentence 
there several times, but you didn't quote the second 
sentence, which is the final sentence of the executive 
summary that says the testing and analysis described in 
this report did not find that TMC, and you know that 
means Toyota Motor Corporation, and the ETCS-i means the 
electronic throttle control system, correct? 

A. Correct. 

Q. The testing and analysis described in this report 
did not find TMC ETCS-i electronics are a likely cause of 
large throttle openings as described in the VOQs . And 
the VOQs for the jury, are what, vehicle owner 
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1 questionnaires? 

2 A Yeah, that is the -- when people call the National 

3 Highway Traffic Safety Administration, NHTSA, or going on 

4 to the web site to complain about their vehicle, they 

5 fill out a vehicle owner questionnaire. 

6 Q. And you used some of those or reviewed some of the 

7 VOQs for those other accidents that you were talking 

8 about at the end of your testimony yesterday, correct? 

9 A. Yes. 

10 Q. So in other words, what this is saying here is the 

11 NASA testing and analysis described in this 100 and some 

12 odd page report did not find that Toyota's electronics 

13 are a likely cause of large throttle opening as described 

14 in reports from other consumers, correct? That's what 

15 they concluded? 

16 A. That's correct. 

17 Q. Now, go to slide 13. You quoted this second 

18 postulated scenario as a systematic software malfunction 

19 of the main CPU, opens the throttle without operator 

20 actions, and continues to properly control the fuel 

21 injunction and emission, correct? 

22 A. Yes. 

23 Q. That is one of the things you highlighted for this 

24 jury. But if we could look at the whole paragraph that 

25 sentence comes from, Mr. Doyle. 16, and it's the 
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paragraph right there -- that begins with the second 
postulated, it's the next to the last paragraph. This 
was the paragraph that you picked that sentence out from. 
And down at the foot of it, it goes on to say that the 
main CPU malfunction would be required to open throttle 
beyond five degrees with the accelerator not pressed and 
leave no failure code. 

The NESC team, that's the NASA team, right? 

A That's right, it's the research group within NASA. 

Q. The NESC team examined the software code of more 
than 280,000 lines for paths that might initiate such an 
unintended acceleration, but none were identified, right? 
That was what they report? 

A. That's what they said. 

Q. Now, you mentioned that you had had some assistance 
in doing the software code review, is that right? 

A. That's correct . 

Q. And how many folks did you have helping you? 

A. Well, I have three from the Barr Group team, I also 

relied from time to time on three others. 

Q. That would be six folks? 

A. That's correct . 

Q. Or is that six including you? 

A. That's seven, six helping. 

Q. Mr. Doyle, can we go to page 11 of the NESC report? 
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1 This was the team that NASA had put together here. This 

2 is just the first page of it. They had 33 scientists and 

3 engineers working on this project, didn't they? 

4 A. They did, but I think if you count the software 

5 engineers you'll find there is significant less than 

6 seven. 

7 Q. Because they looked at it from all different angles, 

8 not just the software angle, right? 

9 A. That's correct, and we were in the source code room 

10 looking at the software and we were focused on the 

11 software system. 

12 Q. You can see the second page of those engineers. 

13 And this report was issued in January 18 of 2011, 

14 correct? 

15 A. I know that date, that's right. 

16 Q. And they were charged with this research in March of 

17 2010 so they worked about 10 months on it, correct? 

18 A. That's sounds like the total length of time, 

19 something like that. 

20 Q. With all of these people looking at not just the 

21 software, but the electronics, the computer scientists on 

22 this list, mechanical engineers, everybody looked at it, 

23 correct? 

24 A. i don't think it says here whether someone 

25 contributed one hour or 100 hours, so we really don't 
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know how much of a contribution some people made. 

Q. But these people were all on that team, correct? 

A. That's correct . 

Q. Thank you, Mr. Doyle. Now I want to look at slide 
number 20, about halfway through. And I want to ask you 
about, this is this test, and apologize I've writing on 
your slide here. I want to make sure the jury and I 
understand this slide. I'll just focus on the graph 
here. So, in this slide what we have is the cruise 
control set at 68 miles an hour, right? 

A. That's correct. 

Q. And you start out, and Mr. Louden is he in the 
vehicle? This is one of those dynamometer tests, right? 

A My understanding he's in the vehicle, that's 
correct . 

Q. And he's in the vehicle. Does he have a computer or 
switch box or something in there with him? 

A. He's able to log things that are happening on one 
computer, and I don't know if it's a separate computer 
that Toyota Tech Stream, that he was able to inject the 
fault . 

Q. And he actually also had to switch that he could 
switch on the brake rather than having to apply with his 
foot, didn't he? 

A. I think he was applying with his foot. 
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1 Q. We'll look into that later. But so we start out, 

2 and the speed is below 68 miles an hour. And 

3 unfortunately, these numbers are in kilometers, aren't 

4 they? 

5 A. The left access, vertical access is in kilometers 

6 per hour. 

7 Q. So you've got to convert, so like 100 kilometers per 

8 hour is roughly 62 miles an hour, correct? 

9 A. I think it's almost exactly 60, sir. 

10 Q. So the jury can kind of figure this out. 50 miles 

11 an hour would -- be 50 kilometers an hour would be about 

12 30 miles an hour, right? 

13 A. 50 and 30, that's right. 80 and 50 is one that I 

14 know. 

15 Q. So for 80 kilometers an hour is like 50 miles an 

16 hour, right? 

17 A. That's correct. 

18 Q. So if we're below 68, and you can see down here this 

19 red line is how open the throttle is, correct? 

20 A. That's correct . 

21 Q. And you also used this graph to represent percentage 

22 of throttle opening, don't you? 

23 A. That's not a 20 percent on the left there. 

24 Q. What is it? 

25 A. I don't recall as I sit here. 
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1 Q. As a matter of fact, this acceleration rate is 

2 pretty gradual, isn't it? 

3 A. Yes. 

4 Q. If you go from 50 miles an hour to 90 miles an hour 

5 it takes you like 30 seconds to do that? 

6 A. That's correct. 

7 Q. I mean, I know this is a four cylinder Camry, but it 

8 will accelerator faster than that, won't it? 

9 A. Cruise control resume function will not accelerate 

10 as fast as some other functions. 

11 Q. That's exactly where I was going, because now you're 

12 at cruise control, so any of us that have a cruise 

13 control car now when we press that button to resume, the 

14 acceleration rate is a lot more gradual than flooring it, 

15 right? 

16 A. That's correct. 

17 Q. So that means the throttle isn't open as wide it a 

18 possibly could be. Do you know if this 20 percent 

19 throttle? 

20 A. I don't believe that access applies to that. I 

21 don't know the percentage of it. 

22 Q. But in any event, at this point when you kill the 

23 task, because the speed is still below the requested 

24 speed, it just keeps applying the throttle. It's trying 

25 to accelerate up to that set speed, right? 
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A. That's right. So what should you have happened is 
that when the blue line crossed the set speed at 68 miles 
an hour right there. 

Q. It should flatten out? 

A. It should flatten out at that point. And software 
that does that, the cruise control is in the task X. 

Q. Mr. Louden killed that task. And we've also seen 
the throttle memory increases it. It was killed there, 
it just stayed flat? 

A. Right, because when we were injection faults, we 
were only flipping one bit. That's not how real memory 
corruptions happen in software systems. Real memory 
corruptions bounce around, ricochet and cause multiple 
damages. For example, if one bit flips and that's in the 
pointer address, then when that pointer is used, then you 
go to the wrong place and you write something else. So 
they can be cumulative. 

When we did our fault injection testing it was like 
taking a rifle shot, just flipping one bit or what we 
were interested in flipping and nothing else. 

Q. And you've — we've already agreed that none of the 
testing that you've done or Mr. Arora's done, have we 
ever had this memory corruption to cause the throttle to 
open greater, have we? 

A. Nobody has tested that as far as I'm aware. 
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Q. Nobody has done that. Not only not tested, we have 
no documentation that that's ever happened, do we? 

A. No. But unfortunately for Toyota, you can't 
disprove it. It's trying to prove a negative. It's 
trying to prove, for example, that there are no aliens in 
the universe. You can only say that you have not found 
any on Mars, but you can't say definitively that they 
don't exist. 

And so the same is true here that just because today 
as we sit here I don't have this test data, it would only 
take one, and it could depend on timing and other factors 
that we can't control right now in our testing, but it 
would only take one experiment to see that throttle open 
wide from the second memory corruption to prove our 
point, whereas a million experiments that didn't open 
would not prove what Toyota would like you to believe. 

Q. And we don't have that experiment, that experiment 
has never been done? 

A. That experiment as far as I understand hasn't been 
done by either side to date. 

Q. As soon as this brake switch was transitioned, this 
speed -- the engine throttle closed, and then because it 
was still, the task was still there, the engine stalled, 
correct ? 

A. When the brake switch was transitioned for more than 


THIS TRANSCRIPT IS NOT PROOFREAD 



49 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 


2/10ths of a second, that's what happened. 

Q. Unlike Ms. Bookout ' s crash, right? 

A. Ms. Bookout ' s engine did not stall, as I understand, 
Q. No, on this stack analysis, which is 25 — finger 
over that -- that's the stack where is the throttle 
control is, correct? 

A. The throttle control, that very complicated function 
in task X executes on that stack, is that correct. 

Q. Now, if you look at slide 29. This may be -- maybe 
just — NASA didn't call any of the MISRA coding issues 
violations, they called them deviations, didn't they? 

A. I don't remember what word they used, sir, they're 
violations or deviations both. 

Q. If you look -- you're talking about MISRA -- 
talking about these violations in this document here, but 
if we looked at the NASA record appendix A, page 29, 

Mr. Doyle, what they really said was it was deviations up 
at the top photograph. They never refer to these as 
violations, did they? Deviations? 

A. I'm not going to say never, because I haven't 
reviewed the report for that, but there it says 
deviations . 

Q. And this is the section they are talking about the 
MISRA rule check, right? 

A. That is a section. 
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1 Q. Now, on slide 32 I've got to take issue with you, 

2 Mr. Barr. You quoted part of what Mr. Ishii said. Right 

3 there. He had a much longer answer than the stuff that 

4 we got right there, didn't he? 

5 A. I don't recall. I think that's the salient point. 

6 Q. Did you put this slide presentation together? 

7 A. I did, and I took that quote from my report. 

8 Q. Can we me see Mr. Ishii, page 90. And we heard Mr. 

9 Ishii 's testimony a couple of days ago. This is page 89. 

10 I'm going to focus you on line 13 -- you don't even have 

11 the question there, we just have an answer, don't we? 

12 A. That's correct. 

13 Q. This is again, you quoting from page 91 here, but 

14 what he actually had to say starts up here. The question 

15 was. Is it your position, Toyota, that there are no major 

16 bugs in the engine control module software from 2008 

17 Camry engine?" And his answer was "One thing I can 

18 definitely state here is that with respect to the engine 

19 control software bug or problem that leads to a UA, 

20 that's unintended acceleration, and I will define 

21 unintended acceleration as an unintended engine rpm 

22 increase unintent ioned by the system designer. That sort 

23 of bug is not there. That I can state definitively, 

24 since the term major bugs is not -- as used in your 

25 question was undefined and vague. I defined UA and 
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provided that definition to you in answer to your 
question . 

And then here's the answer you quoted right there. 
When it comes to software, you had some ellipsis in 
there, but the next question was -- and this is a really 
material question -- are there any bugs in the software 
that can cause the main CPU to open the throttle 
inappropriately? And you left this answer out. I will 
repeat what I said before and that is with respect to 
software bugs that could result in unintended 
acceleration and my definition would be an engine rpm 
increase contrary to what is designed by the system 
designer, that kind of bug does not exist. 

That's what he said about that, didn't he? 

A. That's what he said, but it doesn't sound like 
science to me, but that's what he said. 

Q. Now, almost done here. You showed us this fish bone 
diagram. Mr. Doyle, I'm going to need to have the NASA 
report in just a moment. Appendix B. You showed us this 
fish bone diagram up there. Now, you understand that 
this diagram was for the software error only, right? 

A. I do . 

Q. And you modified this chart for your purposes in 
this case, did you not? 

A. I modified that chart to make it clearer what was 


THIS TRANSCRIPT IS NOT PROOFREAD 



52 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 


upstream . 

Q. You also modified it to put in the words "UA" or the 
letters "UA" up in the corner, because that ' s not on the 
chart in the NASA report, is it? 

A. That's right. There it says a global concern and it 
continues on to another chart. 

Q. You didn't tell the jury yesterday that you modified 
this chart to change it from global concern to UA, did 
you? 

A. You're right, I didn't. I was trying to make the 
chart's ultimate purpose, which is a UA clear, which if 
you continue the global concern up in their fish bone 
which gets more complicated, that's ultimately what they 
are looking for. 

Q. And so if we go to the — after this chart there are 
two more pages which list the disposition detection — 
not that one. That's where it says global concern. Now 
the next page, Mr. Doyle. There are two pages that go 
through for each of those concerns -- if you give me the 
last two columns. And here it talks about what will 
happen and talks about how it's detected and how it's 
mitigated, each one of those software errors, right? 

A. It talks about how NASA believed it was mitigated at 
the time they wrote the report. And I mentioned those 
pages when I put the chart up, my slide says page 36 to 
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1 39, whatever the numbers are. 

2 Q. But you didn't show that they were mitigated, these 

3 software errors had a mitigation strategy for each one of 

4 them? 

5 A. I think I clearly stated that NASA misunderstood 

6 that some of them didn't exist. And that's what I would 

7 have explained if I went to this level of detail. 

8 Q. Now, let's go to slide 43. 

9 A I'll give an example just to continue my answer. 

10 One of those -- 

11 Q. I don't think there is a question pending. 

12 THE COURT: You can ask him on redirect. 

13 Q. (BY MR. BIBB) And at slide 43 you again quoted 

14 Mr. Ishii, but if we look at what he actually said on 

15 page 37, what we left out, what he said was that, of 

16 course, Toyota would conduct its test to see if the chips 

17 that are delivered would have the requisite functionality 

18 and performance. But admittedly they didn't do a design 

19 review of somebody else's source code, correct? 

20 A. They didn't do a design review, and I think the 

21 point stands for itself. 

22 Q. It was a source code provided to Toyota by 

23 suppliers, right? 

24 A. Right. So here he's referring to the ESP-B2 monitor 

25 chip and he's saying they didn't review the source code 
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1 for this very important chip, including through the date 

2 when they were telling Congress and the world that there 

3 couldn't be possibly be a software error, though they 

4 already knew that it was spaghetti code. 

5 Q. They knew -- they tested it and they knew it 

6 performed and functioned as it was intended to, right? 

7 A. In the testing they performed of ESP-B2 chip, which 

8 is obviously not as much testing as a vehicle fleet of 

9 millions of vehicles driving around. 

10 I did a calculation that I included in my report. 

11 Toyota told NHTSA and Congress about the amount of 

12 testing they had performed on this series of Camry ' s . 

13 And if I remember the numbers correctly, it was something 

14 like 400,000 hours of testing. That sounds like a lot of 

15 testing, sounds very impressive, but if you simply do a 

16 little math, the first, I think it was -- I'd like to 

17 refer to my report to get the exact numbers -- but I 

18 think I calculated the first 3,000 people to buy that car 

19 in their two weeks of ownership would conduct more than 

20 100,000 hours -- morn than double, more a million hours 

21 of testing. 

22 And so, when Toyota says we tested our car, they 

23 tested a couple of cars that came off the factory line 

24 first, under certain conditions, and then they started 

25 selling the cars and there were now 3,000 of them or 
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1 400,000 of them. I think they sold 400,000 2005 Camrys 

2 ultimately, and that is a much larger universe of 

3 testing. People are driving it in different weather 

4 conditions, they're driving with more miles, there are 

5 manufacturing variances between vehicles, electrical, 

6 mechanical, and all of those experiments are taking place 

7 in the real world. 

8 Q. Let's look at slide 53. This is another one of Mr. 

9 Louden' s tests you talked about, right? 

10 A. That's correct. 

11 Q. Now we saw the earlier one we looked at, that was 

12 actually a 2008 Camry being tested, wasn't it? 

13 A. It was. 

14 Q. Is this one a 2008 or a 2005? 

15 A. This is a 2005 Camry, just like the Bookout vehicle. 

16 Q. And here the thing I want to focus on is this last 

17 row down here. And there Toyota has a brake switch 

18 that's connected to the brake pedal, and when you tap the 

19 brake pedal, that switch, it's a mechanical switch, 

20 electro-mechanical switch, isn't it? When you tap the 

21 brake pedal, one switch goes from open to close, and the 

22 other part of the switch goes closed to open, right? 

23 A. That's right. The first one is called STP, that's 

24 the primary stop brake switch. That's the one that 

25 lights the lights on the back when you see someone's 
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1 brake lights come on. And there's a secondary switch 

2 called ST1 minus. 

3 Q. If we look at this last column down here, you can 

4 see there's the one line, and I would have to go and look 

5 at this, but suffice one of them is ST1 and one of them 

6 is STP, right? 

7 A That ' s correct . 

8 Q. Admittedly I"m color blind, but I think that's a 

9 blue line down there, and I can't really tell what color 

10 this is, it's either red or green. 

11 A. It's both red and green because it's got data from 

12 inside the computer and data from the actual brake pedal. 

13 Q. You made me feel a lot better with that answer. But 

14 when you press the brake pedal right over here, this blue 

15 line should have gone up here? 

16 A. That's right. It's not relevant to this particular 

17 test. Mr. Louden conducted a number of -- in the Saint 

18 John case there was early on some indications that there 

19 might have been a problem with the secondary brake 

20 switch, and so he conducted these tests with a number of 

21 different combinations of that switch not working and 

22 working. This set of data -- that doesn't change the 

23 outcome here. It's not related to the monitor CPU and no 

24 other part of the software that's relevant to this 

25 really. 
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Q. And it's not relevant to Ms. Bookout ' s case because 
we know her brake switch worked? 

A. Well, this graph is absolutely relevant. That 
doesn't change the relevance to Ms. Bookout ' s case. 

Q. The other thing we notice up here is when this — 
when that task is killed here, this is the throttle 
opening, right? This is degrees now, we can actually 
look at the throttle opening, correct? 

A. That's correct. 

Q. And so when this task is killed and she's doping 45 
miles an hour, or Mr. Louden is moving 45 miles an hour, 
the throttle is open and at about, what, 14 degrees, 
correct ? 

A. Yes. If you look at this curve, you'll see that 
it's up there around 15 degrees, I guess, close to the 
task death killing. 

Q. Here's 10 and there's 20. And task death occurs at 
that dotted line, and this thing -- it settles in, looks 
like roughly 13 or 14 degrees? 

A. I would agree with that. It looks to me what Mr. 
Louden did was he had his foot more on the accelerator, 
before he killed the task, he got up to his target speed 
about 45 miles and hour, and then as he let off the 
accelerator there, before the task death, it dropped down 
to the 13 or 14 you're talking about. 
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1 Q. If it's at 14 degrees of throttle opening, you're 

2 never going to lose vacuum assist if you pump the brakes 

3 in that situation, are you? 

4 A. I've not heard a number as low as 13 or 14 degrees. 

5 Q. So the answer is that you'd always replenish the 

6 vacuum boost if you had this scenario here of 45 miles 

7 hour, right? 

8 A. As an engineer I've learned to be cautious about 

9 absolutes, so I won't say always, but I think it's 

1 0 unlikely . 

11 Q. Tell you what, from what you know though, you still 

12 have vacuum assist, right, based on everything you've 

13 heard so as far, correct? 

14 A. I think that's right. 

15 Q. Now, all I want to do, Mr. Barr, here to finish up. 

16 You talked to us a lot at the end of the day yesterday 

17 about some other people's wrecks that you told the jury 

18 you thought were similar to Ms. Bookout's, correct? 

19 A. Yes, they informed my analysis. 

20 Q. And the first one was a Mr. Beresford Hill, do you 

21 remember that name? 

22 A. I remember the name. 

23 Q. And Mr. Beresford Hill, did you read his deposition? 

24 A. I believe so, if I had his deposition and cited to 

25 it there, I read it. 
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1 Q. Page four of Mr. Barrister Hill's deposition, 

2 because I'd like to look at how he describes -- this is 

3 his deposition beginning at line 2 and just go down to 

4 line 11. And he said, "As I pressed my foot on the 

5 accelerator it was as if the car took on a life of its 

6 own . " 

7 So now, Mr. Hill stepped on the gas and the car took 

8 off. Is that the way the car is supposed to work? 

9 A. I think Mr. Barrister Hill was describing a 

10 situation where the accelerator pedal press was a lot 

11 less than the car's acceleration. 

12 Q. Let's assume that this could be caused because he 

13 pressed his foot a little harder than he expected on the 

14 gas pedal, couldn't he? 

15 A. I don't know why we would assume that, sir. 

16 Q. But he instinctively put his left foot on the brake, 

17 and when he did that, it would have brake echo check, 

18 wouldn't he? 

19 A. No, not necessarily. 

20 Q. Just every time you've ever tested it, it worked, 

21 right? 

22 A. We don't know that this particular UA, which I 

23 believe was caused by software malfunction, was caused by 

24 task X death specifically. It's my understanding it was 

25 a software malfunction. I don't know whether it was task 
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X or task X in combination with other things. So I don't 
know whether that failsafe should have acted in that 
particular situation. 

I know that even if it was task death X, it won't be 
100 percent reliable, that brake echo. 

Q. And you're telling this jury that this one, software 
failure, stepped on the gas and the car took off, right? 
A. It's my view that that is a description of a 
software malfunction. 

Q. Now, how about, one of the other ones was a Chory, 
C-H-O-R-Y, did you review the event data recorder for 
that crash? 

A. I don't believe I had the actual event data 
recorder, but I'm familiar that Toyota reviewed it. 

Q. Have you seen that data readout? 

A I don't think I've seen that data readout. 

Q. You've seen these before, haven't you? 

A. Yes. 

Q. You understand how to read them. If we look at this 
paragraph right there, that box shows that the brake was 
never applied, right? 

A. That's what it shows. I've written a separate 
chapter about how these pre-crash recorders have their 
own defects. In fact, Mr. Arora in his September 17th 
report last year, he actually demonstrated for us that 
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1 the car he was pressing the brake on, the recorded black 

2 box data sequence said he didn't press the brake. And 

3 that's cited in my chapter on the pre-crash EDR, which is 

4 not really directly relevant to this case because the 

5 2005 Camry wasn't equipped with that, but the point being 

6 that in this later Camry that had it, this is not 

7 something we can rely on to disprove a software 

8 malfunction. In fact, with the UA occurs and task K is 

9 dead, the pre-crash EDR will be wrong about the brake 

10 signal specifically. That's what Mr. Arora's data 

11 showed. 

12 Q. And you know that NHTSA disagrees with you on that? 

13 A. No. The analysis this NHTSA did was a very 

14 different analysis. What NHTSA did was to evaluate that 

15 if data was stored in the black box, that it was reliably 

16 read out the same way that it was in the box. NHTSA 

17 didn't evaluate -- they did evaluate in one bumper crash 

18 that they got the right data. But that didn't prove -- 

19 we read the code and said -- and we even got the 

20 pre-crash EDR code and we saw that it could be confused 

21 also by task X death, specifically about the brake pedal. 

22 So NHTSA always assumed that these black boxes were 

23 reliable, but they're not. And that's been demonstrated 

24 by Toyota's own expert. 

25 Q. But they dud a study of those and no matter how you 
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1 want to characterize it, they validated the validity of 

2 these EDR readouts, didn't they? 

3 A. As I explained, they validated that the data could 

4 be read properly by either a tool from Bosch or a tool 

5 from Toyota. They didn't validate properly 

6 scientifically like we did that this could be wrong. 

7 Q. They did some testing with vehicles to confirm with 

8 accelerometers and their data acquisition that the data 

9 that was being recorded in the EDR was the same data they 

10 were getting with their external recording devices, 

11 correct? You are aware of that study? 

12 A. Again, sir, it doesn't matter how many tests showed 

13 that the EDR worked. We have one test that was conducted 

14 by Toyota's own expert that proves it can be wrong. And 

15 that is sufficient to prove there are aliens in the 

16 universe. That is sufficient to prove that the EDR is 

17 not reliable. So one test like that disproves this view 

18 that Toyota would have you have that this is reliable. 

19 Q. I'll tell you what, Mr. Barr, I'm going to do one 

20 more person's incident here. Mr. Heinrich or 

21 H-e-i-n-r-i-c-h? 

22 A. Is that the gentleman with three incidents? 

23 Q. That's the gentleman with three incidents. Let's 

24 talk about a couple of the incidents. You ruled out 

25 floor mat interference in that case? 
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1 A. Yes. Well, I should say I didn't do a root cause 

2 analysis but my understanding was it was not likely floor 

3 mat . 

4 Q. You know though he had a set of all weather rubber 

5 mats placed on top of his carpeted mat in the vehicle? 

6 A. That's not true the third incident. 

7 Q. I'm going to get to the third one, but the first 

8 incident and the second incident he had an all weather 

9 rubber floor mat on top of his carpet mats, is that 

10 right? 

11 A. I believe that's accurate. 

12 Q. And that was exactly a concern that Toyota had, 

13 right? 

14 A. Just because they are there, doesn't mean that's 

15 what happened. 

16 Q. So if we can then go to page 42. Let's look at his 

17 third incident, and this is the one where he was waiting 

18 for the train, do you remember that? 

19 A. I do. 

20 Q. And if we could look starting at line 9 how he 

21 described it. And he said it was a normal day, crossing 

22 gates came down, waiting for the train, put it in park 

23 because they are usually freight trains and they are long 

24 so I just waited my time. When it came to time to go, 

25 the crossing gates went up, I put the car in gear, gave 
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it a little bit of gas because of school zone just a 
quarter of mile and the car took off. 

And he said, it was gradual, I just had no control 
over it. Again, this is a gentleman who's putting his 
foot on the gas to accelerate away from a railroad grade, 
isn't he? 

A. Yes, and his car is giving him an unintended amount 
of acceleration when he does. 

Q. And but again, maybe Mr. Heinrich just pressed on 
the gas pedal harder than he expected, he got more result 
than he wanted. That's another way of looking at that 
accident, isn't it? 

A. That's a possibility. 

MR. BIBB: May I have a moment. Your Honor? 

THE COURT: Yes. 

MR. BIBB: Was an a little longer than 15 

minutes, but thank you very much, Mr. Barr for coming. 

Do you want to take our morning break? 

THE COURT: Mr. Baker, how much do you have? 

More than a few minutes? 

MR. BAKER: Yes, ma'am. 

THE COURT: We will take our morning break 

then. Ladies and gentlemen, it's 10: 30, we'll be in 
recess for 15 minutes. I'll remind you, do not discuss 
the case and form no opinions about the case. All rise 
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argument . 

THE COURT: All right. 

(THE FOLLOWING PROCEEDINGS WERE HAD WITHIN THE 
HEARING OF THE JURY AS FOLLOWS:) 

THE COURT: Ladies and gentlemen, I apologize 

for the delay. We had a deposition that we're going to 
play as soon as Mr. Barr's testimony is completed and I 
had to make some evidentiary rulings. I wanted to let 
you know after we completed Mr. Barr's testimony, the 
next witness will be video testimony again. We are going 
to start that and go until about 12:30 and then we will 
break at 12:30. I have a matter at 1:00 in another case, 
believe it or not, I still have other cases that I need 
to take up, so I have a 1:00 but it shouldn't take over 
15 minutes, so we will break from 12:30 to 1:30 today for 
lunch. Thank you very much. 

You may proceed. 

REDIRECT EXAMINATION 

BY MR. BAKER: 

Q. Let me kind of start at the back where you all ended 
and I want to talk a little bit about the EDR you all had 
a great field discussion about EDRs, when it occurs and 
whether NASA looked at it with respect to a particular 
OSI or other similar incidents. Do you remember that 
discussion? 
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1 A. Yes. 

2 Q. As I understood, is it true that the EDR event data 

3 recorder in 2005 Camry would not record anything that 

4 happened before a crash? 

5 A. That's right. And the black box in the air bag 

6 computer in the 2005 Camry simply recorded that there was 

7 a crash and information about the crash. And it could 

8 record I believe up to three total crashes. And then the 

9 later models had a black box that recorded not only if 

10 there was a crash, but also the five — sample data in 

11 the five seconds before the crash. 

12 Q. Our car doesn't have that? 

13 A. That's right. This car in this case doesn't have 

14 any pre-crash data. 

15 Q. But the EDR that is in our vehicle was downloaded? 

16 A. That's correct. 

17 Q. And you've seen the information downloaded from our 

18 EDR? 

19 A. I have. 

20 Q. Did it record anything? 

21 A. No, despite the crash, there was no data recorded, 

22 no crash was recorded in the air bag control unit. 

23 Q. Even though there is a 30 mile an hour impact at the 

24 end of this sequence, nothing recorded? 

25 MR. BIBB: Objection, no foundation. 
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1 THE COURT: Overruled. You may answer. 

2 THE WITNESS: That's right, despite the crash 

3 there was no crash recorded in the air bag computer. 

4 Q. (BY MR. BAKER) You were also asked about the OSI in 

5 terms of your root cause analysis in this case. Do you 

6 recall those questions? 

7 A. Yes. 

8 Q. You looked at those OSIs for particular things and 

9 used them as part of your analysis, do you remember that? 

10 A. I do. 

11 Q. In terms of doing a root cause analysis and trying 

12 to determine what causes these unintended acceleration 

13 events, would it be reasonable to overlook a 400 percent 

14 increase in UA events starting in 2004 in the Camry? 

15 A. No, it would not be. 

16 Q. You were also asked some questions about the NASA 

17 report. Be very brief on this. Yesterday you discussed 

18 several aspects as we've already seen. Is it true that 

19 NASA made its conclusions based on some inaccurate 

20 information given to them by Toyota? 

21 A. That's correct. 

22 Q. For example, you mentioned they had told NASA there 

23 was EDAC on the 2005 Camry? 

24 A. That's correct. On that basis NASA said, well, it 

25 can't be hardware bit flip because there's EDAC. But 
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since there's no EDAC, then there can be a hardware bit 
flip, and NASA was concerned about hardware bit flips, 
rightly so. 

Q. Is it one of these bit flips that we talked about 
that we can have the throttle angle variable become 
corrupt ? 

A. That's one way it could happen, that's right. 

Q. Is it a corrupted throttle angle variable that could 
make the throttle go anywhere? 

A. That's right, anywhere between, up to degrees or 
100 percent. 

Q. So in this case, if Ms. Bookout has her foot on the 
accelerator and it's at whatever, I think one of the 
numbers we talked about was 15 degrees opening, if you 
have this memory corruption on the throttle variable 
angle, could it send it anywhere? 

A. That's correct. 

Q. And you were criticized for the quote you put up of 
what Mr. Ishii said. Mr. Ishii said there is absolutely 
no bugs in the software. 

MR. BIBB: Objection, misleading. 

Q. (BY MR. BAKER) Ultimately what he said was on the 
power train software that he was discussing was the part 
put up by Mr. Bibb, he said there was no bugs. 

MR. BIBB: Objection, misstates testimony. Your 


THIS TRANSCRIPT IS NOT PROOFREAD 



80 


1 Honor. 

2 THE COURT: Overruled. 

3 THE WITNESS: I understand Mr. Ishii's 

4 testimony in the portion Mr. Bibb cited to be not that 

5 there were no bugs, but that there were no bugs, he 

6 thought or believed that there were no bugs of a specific 

7 type. 

8 Q. (BY MR. BAKER) And my only point asking that 

9 question is, there is bugs in every software? 

10 A. Any reasonably complex software has bugs. This 

11 software certainly has bugs. 

12 Q. And you were also asked about some examples up here 

13 in the brake echo, and some of the tests that you ran 

14 that showed that if you had your foot on the brake and 

15 this task death occurred, or you had concluded the 

16 variable angle malfunction of the throttle control, that 

17 you have to take your foot back off the brake in order to 

18 have — 

19 A. That's correct. And even then it may not happen. 

20 Q. But if it does come into effect, as I understand 

21 your testimony, it stalls the vehicle? 

22 A. Three second afterwards approximately. 

23 Q. We know Ms. Bookout ' s vehicle did not stall, 

24 correct? 

25 A. That's correct. 
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Q. So under the scenario that you've described for the 
jury, would that mean that she never transitioned the 
brake switch? 

A. That's correct . 

MR. BAKER: That's all I have. 

THE COURT: Mr. Barr, you may step down. 

THE WITNESS: Thank you. Your Honor. 

THE COURT: Mr. Baker, you may call your next 

witness . 


MR. BAKER: We have a few exhibits with Mr. 

Barr, we'll take up at the break. 

THE COURT: Okay. 

MR. BAKER: We're going to call by videotape 

Mary Pries-Morrison . 


THE COURT: Okay thank you. 

(Playing video.) 

THE COURT: ladies and gentlemen, there's 

still about 25 or 30 minutes left on this, because of my 
schedule in needing to take care of another matter we're 
going to go ahead and break for lunch at this point in 
time. We'll be in recess until 1:30, again remind you 
don't discuss the case, don't form any opinions about the 
case during the break. If you did not check in at the 
jury assembly room this morning, please do so during the 
lunch break. 
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